Overview

overview

10

Static

static

3

68a4619be1...4b.exe

windows7-x64

10

68a4619be1...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68a4619be1f3efcc95a4fac79b12544b.exe

  • Size

    638KB

  • MD5

    68a4619be1f3efcc95a4fac79b12544b

  • SHA1

    305a32c6ac58a4daec2edd4f91c7dea9f9fccd41

  • SHA256

    acd10a5e1a34f66e757669ebc7c4edf73d8a8adf6df73f7618edcc564a3c894c

  • SHA512

    74d8b1153201c3a9b80270145350cbb90fa8143c203c36bcb480270479298b885811a94c05a333e0d638d6a926e3457e8260c9e6ff9eac3e21e00226eee7922b

  • SSDEEP

    12288:BHnHA3xl3nNTR/nsy53/zGMJtvlZA/vE/x2q+luR:BHHin9R/s+37BVIl8

Score
10/10
xtremeratpersistenceratspywareupx

Malware Config

Extracted

Family

xtremerat

C2

majaaz.zapto.org

şᕸ왐majaaz.zapto.org

joeblack.zapto.org

şᕸ왐joeblack.zapto.org

Signatures

  • Detect XtremeRAT payload 31 IoCs
  • Modifies WinLogon for persistence 2 TTPs 64 IoCs
    persistence
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Adds policy Run key to start application 2 TTPs 64 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 29 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 64 IoCs
  • UPX packed file 38 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 50 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68a4619be1f3efcc95a4fac79b12544b.exe
    "C:\Users\Admin\AppData\Local\Temp\68a4619be1f3efcc95a4fac79b12544b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\68a4619be1f3efcc95a4fac79b12544b.exe
      C:\Users\Admin\AppData\Local\Temp\68a4619be1f3efcc95a4fac79b12544b.exe
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:436
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:2544
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            3⤵
            • Deletes itself
            PID:2352
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
            3⤵
              PID:2152
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
              3⤵
                PID:2892
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                3⤵
                  PID:4796
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                  3⤵
                    PID:2680
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                    3⤵
                      PID:4460
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      3⤵
                        PID:4088
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                        3⤵
                          PID:3132
                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                          "C:\Windows\system32\InstallDir\Svhost.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of WriteProcessMemory
                          PID:3688
                          • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                            C:\Windows\SysWOW64\InstallDir\Svhost.exe
                            4⤵
                            • Modifies WinLogon for persistence
                            • Modifies Installed Components in the registry
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4652
                            • C:\Windows\SysWOW64\svchost.exe
                              svchost.exe
                              5⤵
                              • Modifies WinLogon for persistence
                              • Adds policy Run key to start application
                              • Modifies Installed Components in the registry
                              • Modifies registry class
                              PID:4436
                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                6⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                PID:3356
                                • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                  C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                  7⤵
                                  • Modifies WinLogon for persistence
                                  • Adds policy Run key to start application
                                  • Modifies Installed Components in the registry
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  PID:3716
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                    8⤵
                                      PID:3856
                                    • C:\Windows\SysWOW64\explorer.exe
                                      explorer.exe
                                      8⤵
                                        PID:4364
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                        8⤵
                                          PID:4428
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                          8⤵
                                            PID:1428
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                            8⤵
                                              PID:4552
                                        • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                          "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          PID:5088
                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                            C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                            7⤵
                                            • Modifies WinLogon for persistence
                                            • Adds policy Run key to start application
                                            • Modifies Installed Components in the registry
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • Drops file in System32 directory
                                            • Modifies registry class
                                            PID:4792
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                              8⤵
                                                PID:4160
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                8⤵
                                                  PID:2904
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                  8⤵
                                                    PID:4560
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                    8⤵
                                                      PID:4072
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                      8⤵
                                                        PID:4848
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                        8⤵
                                                          PID:3720
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                          8⤵
                                                            PID:3484
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                            8⤵
                                                              PID:4612
                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                              "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                              8⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              PID:4860
                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                9⤵
                                                                • Modifies WinLogon for persistence
                                                                • Adds policy Run key to start application
                                                                • Modifies Installed Components in the registry
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Adds Run key to start application
                                                                • Drops file in System32 directory
                                                                • Modifies registry class
                                                                PID:1272
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                  10⤵
                                                                    PID:2296
                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                    explorer.exe
                                                                    10⤵
                                                                      PID:2404
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                      10⤵
                                                                        PID:1184
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                        10⤵
                                                                          PID:3984
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                          10⤵
                                                                            PID:3416
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                            10⤵
                                                                              PID:2392
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                              10⤵
                                                                                PID:1088
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                10⤵
                                                                                  PID:3652
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                  10⤵
                                                                                    PID:3980
                                                                                  • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                    "C:\Windows\system32\InstallDir\Svhost.exe"
                                                                                    10⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:60
                                                                                    • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                      C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                      11⤵
                                                                                      • Modifies WinLogon for persistence
                                                                                      • Adds policy Run key to start application
                                                                                      • Modifies Installed Components in the registry
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Adds Run key to start application
                                                                                      • Drops file in System32 directory
                                                                                      • Modifies registry class
                                                                                      PID:1284
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                        12⤵
                                                                                          PID:3500
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                          12⤵
                                                                                            PID:5060
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                            12⤵
                                                                                              PID:1888
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                              12⤵
                                                                                                PID:1592
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                12⤵
                                                                                                  PID:1420
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                  12⤵
                                                                                                    PID:2964
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                    12⤵
                                                                                                      PID:3356
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                      12⤵
                                                                                                        PID:2352
                                                                                                      • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                        "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                        12⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:4228
                                                                                                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                          C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                          13⤵
                                                                                                          • Modifies WinLogon for persistence
                                                                                                          • Adds policy Run key to start application
                                                                                                          • Modifies Installed Components in the registry
                                                                                                          • Executes dropped EXE
                                                                                                          • Adds Run key to start application
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:3268
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                            14⤵
                                                                                                              PID:1552
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                              14⤵
                                                                                                                PID:1652
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                14⤵
                                                                                                                  PID:1408
                                                                                                • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                  6⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of SetThreadContext
                                                                                                  PID:2312
                                                                                                  • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                    C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                    7⤵
                                                                                                    • Modifies WinLogon for persistence
                                                                                                    • Modifies Installed Components in the registry
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Adds Run key to start application
                                                                                                    • Drops file in System32 directory
                                                                                                    • Modifies registry class
                                                                                                    PID:5064
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                      8⤵
                                                                                                        PID:964
                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                        explorer.exe
                                                                                                        8⤵
                                                                                                          PID:624
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                          8⤵
                                                                                                            PID:2860
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                            8⤵
                                                                                                              PID:3724
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                              8⤵
                                                                                                                PID:4236
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                8⤵
                                                                                                                  PID:5088
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                  8⤵
                                                                                                                    PID:2036
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                    8⤵
                                                                                                                      PID:4832
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                      8⤵
                                                                                                                        PID:640
                                                                                                                      • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                        "C:\Windows\system32\InstallDir\Svhost.exe"
                                                                                                                        8⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        PID:4208
                                                                                                                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                          C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                          9⤵
                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                          • Modifies Installed Components in the registry
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Adds Run key to start application
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • Modifies registry class
                                                                                                                          PID:3972
                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                            10⤵
                                                                                                                              PID:4668
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                              10⤵
                                                                                                                                PID:4792
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                10⤵
                                                                                                                                  PID:4540
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                  10⤵
                                                                                                                                    PID:1544
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                    10⤵
                                                                                                                                      PID:4976
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                      10⤵
                                                                                                                                        PID:2232
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                        10⤵
                                                                                                                                          PID:2648
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                          10⤵
                                                                                                                                            PID:4264
                                                                                                                                          • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                            "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                            10⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            PID:4980
                                                                                                                                            • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                              C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                              11⤵
                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                              • Modifies Installed Components in the registry
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Adds Run key to start application
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:4964
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                12⤵
                                                                                                                                                  PID:3928
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                  12⤵
                                                                                                                                                    PID:3272
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                    12⤵
                                                                                                                                                      PID:2312
                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                      12⤵
                                                                                                                                                        PID:5004
                                                                                                                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                            "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                            6⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            PID:2920
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                              C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                              7⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:2248
                                                                                                                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                            "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                            6⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            PID:3708
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                              C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                              7⤵
                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                              • Adds policy Run key to start application
                                                                                                                                              • Modifies Installed Components in the registry
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:1292
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                8⤵
                                                                                                                                                  PID:2804
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              PID:2576
                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                7⤵
                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                • Adds policy Run key to start application
                                                                                                                                                • Modifies Installed Components in the registry
                                                                                                                                                • Checks computer location settings
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Adds Run key to start application
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:3708
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                  8⤵
                                                                                                                                                    PID:4720
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                    8⤵
                                                                                                                                                      PID:3284
                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                      8⤵
                                                                                                                                                        PID:2524
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                        8⤵
                                                                                                                                                          PID:2920
                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                          8⤵
                                                                                                                                                            PID:556
                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                            8⤵
                                                                                                                                                              PID:2320
                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                              8⤵
                                                                                                                                                                PID:3604
                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:4520
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                  8⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                  PID:4296
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                    9⤵
                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                    • Modifies Installed Components in the registry
                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:4504
                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                      10⤵
                                                                                                                                                                        PID:1220
                                                                                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                        explorer.exe
                                                                                                                                                                        10⤵
                                                                                                                                                                          PID:3532
                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                          10⤵
                                                                                                                                                                            PID:1344
                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                            10⤵
                                                                                                                                                                              PID:5000
                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                              10⤵
                                                                                                                                                                                PID:2336
                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                10⤵
                                                                                                                                                                                  PID:4060
                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                  10⤵
                                                                                                                                                                                    PID:1700
                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                    10⤵
                                                                                                                                                                                      PID:624
                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                      10⤵
                                                                                                                                                                                        PID:2944
                                                                                                                                                                                      • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                        "C:\Windows\system32\InstallDir\Svhost.exe"
                                                                                                                                                                                        10⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                        PID:3164
                                                                                                                                                                                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                          11⤵
                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                          • Adds policy Run key to start application
                                                                                                                                                                                          • Modifies Installed Components in the registry
                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:2824
                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                            12⤵
                                                                                                                                                                                              PID:2728
                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                              12⤵
                                                                                                                                                                                                PID:1604
                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                12⤵
                                                                                                                                                                                                  PID:1672
                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                    PID:3448
                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                      PID:2204
                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                        PID:3176
                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                          PID:3112
                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                            PID:4504
                                                                                                                                                                                                          • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                            "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                            PID:3352
                                                                                                                                                                                                            • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                              • Adds policy Run key to start application
                                                                                                                                                                                                              • Modifies Installed Components in the registry
                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              PID:1104
                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                  PID:4644
                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                    PID:3188
                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                      PID:1432
                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                        PID:3240
                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                          PID:3528
                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                            PID:880
                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                              PID:2672
                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                PID:4492
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                PID:1612
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                  • Adds policy Run key to start application
                                                                                                                                                                                                                                  • Modifies Installed Components in the registry
                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                  PID:1808
                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                      PID:3036
                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                        PID:1504
                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                          PID:5140
                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                            PID:5252
                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                                              PID:5276
                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                PID:5304
                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                  PID:5376
                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                    PID:5420
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                    PID:5452
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                      • Adds policy Run key to start application
                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                      PID:5572
                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                                                                          PID:5664
                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                                                                            PID:5680
                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                            18⤵
                                                                                                                                                                                                                                                              PID:5700
                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                              18⤵
                                                                                                                                                                                                                                                                PID:5796
                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                18⤵
                                                                                                                                                                                                                                                                  PID:6076
                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                  18⤵
                                                                                                                                                                                                                                                                    PID:4860
                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                    18⤵
                                                                                                                                                                                                                                                                      PID:5584
                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                                                                                        PID:5740
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                        PID:5640
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                          19⤵
                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                          PID:6136
                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                                                              PID:5932
                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                                                                                PID:6000
                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                                                                  PID:6060
                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                                                    PID:1608
                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                                                                                      PID:2912
                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                                                        PID:5520
                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                                                                                                          PID:5524
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                              PID:3900
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                PID:804
                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                    PID:828
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                    explorer.exe
                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                      PID:1576
                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                        PID:4604
                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                          PID:4292
                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                            PID:1280
                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                              PID:5020
                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                PID:3864
                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                  PID:3708
                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                    PID:2576
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\system32\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                    PID:3228
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                      • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                      • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                      PID:3100
                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                          PID:4544
                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                            PID:448
                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                              PID:2536
                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                PID:2800
                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                  PID:4868
                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                    PID:2408
                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                      PID:1100
                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                        PID:1856
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                        PID:2780
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                          • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                          • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          PID:1612
                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                              PID:4404
                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                PID:3532
                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                  PID:5048
                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                    PID:2780
                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                                                                                      PID:1272
                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                                        PID:1740
                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                          PID:400
                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                            PID:1540
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                            PID:548
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                              • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                              • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                              PID:1400
                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                  PID:2796
                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                                                                                                    PID:4532
                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                                                                      PID:4936
                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                                                        PID:5024
                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                                                                          PID:2108
                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                                                                                            PID:2376
                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                                                                                                                                              PID:5132
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                              PID:1104
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                PID:4672
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                              PID:724
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                PID:1272
                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                    PID:2540
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                PID:3164
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                  PID:3944
                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                      PID:2556
                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                        PID:3004
                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                          PID:1576
                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                            PID:724
                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                              PID:3192
                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                PID:1288
                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                  PID:5096
                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1660
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                    PID:1092
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                      • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                      • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                      PID:5148
                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                          PID:5240
                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                            PID:5268
                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                              PID:5296
                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5320
                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:5412
                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:5472
                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:5492
                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:5508
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                        PID:5612
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                          PID:5720
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                PID:2676
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                  • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                  PID:2824
                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:1456
                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:1172
                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:5124
                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:5172
                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:5260
                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:5284
                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:5312
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                              PID:5160
                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                PID:5328
                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:5400
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:5428
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:5480
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5500
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:5532
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:5624
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                          PID:5552
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                            • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                            PID:5708
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:5884
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6088
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:5440
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5332
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:5552
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5388
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:5352
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:6036
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                              PID:5916
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                PID:5188
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5392
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5212
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5600
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5876
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5716
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6108
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5824
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5716
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5808
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6112
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5924
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5968
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5168
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:440
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2824
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5636
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5744
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5900
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5812
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5616
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2368
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5184
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5872
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5180
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2676
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5620
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5652
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6072
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5644
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3764
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5732
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6176
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6236
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6196
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6832
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\InstallDir\Svhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds policy Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies Installed Components in the registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2412

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ef1da37a1488a2dd0205a87b6e81822e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a5a161db43c5e06f836fd8be2776e5c0a70e9848

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            558375823cc8f1e9b9065b53bedf44c96ad60ce64aa0de946f8ce6548a8364ef

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            435488d21a95c9a434d578c4d808cd99806eca8f93161960557c4f012accfae38fed80b0fb8dd0b1727a5c30b3689e75367796b4a0c42532a216bb380d002cd1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2d406af19d5440406488622b736a4f5a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            c7b2dee5c14298cc1bc412fc0ac79ff8ab95d8cb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9cdd2dce1dc379cb781f3e10b50500250dc2c2f57bd292beb1a2c5d7bbdc6a1b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1e462ba1dd6121b47e3e23409edfd35b03620e6db3e2cdb1893b3595900566846b8bd0a5091eb5e6b57b60cb16d95981ff9f20bfc684ed8a20b438ee4c6fad4d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\InstallDir\Svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            638KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            68a4619be1f3efcc95a4fac79b12544b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            305a32c6ac58a4daec2edd4f91c7dea9f9fccd41

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            acd10a5e1a34f66e757669ebc7c4edf73d8a8adf6df73f7618edcc564a3c894c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            74d8b1153201c3a9b80270145350cbb90fa8143c203c36bcb480270479298b885811a94c05a333e0d638d6a926e3457e8260c9e6ff9eac3e21e00226eee7922b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/60-265-0x0000000001F40000-0x0000000001F41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/216-729-0x00000000005E0000-0x00000000005E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/388-7-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/388-9-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/388-8-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/388-10-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/388-3-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/388-49-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/388-2-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/388-1-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/548-545-0x0000000002050000-0x0000000002051000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/624-240-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/724-501-0x0000000002030000-0x0000000002031000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1092-566-0x0000000000570000-0x0000000000571000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1104-440-0x0000000002270000-0x0000000002271000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1220-0-0x00000000005F0000-0x00000000005F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1220-6-0x0000000010000000-0x0000000010097000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            604KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1544-184-0x00000000005E0000-0x00000000005E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1544-199-0x0000000010000000-0x0000000010097000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            604KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1576-416-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1612-555-0x0000000001F50000-0x0000000001F51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2036-80-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2036-79-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2036-77-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2312-219-0x0000000002050000-0x0000000002051000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2352-17-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2368-693-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2404-259-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2576-370-0x0000000002060000-0x0000000002061000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2676-546-0x0000000001F50000-0x0000000001F51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2780-502-0x0000000002070000-0x0000000002071000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2800-88-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2920-271-0x0000000000590000-0x0000000000591000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3164-435-0x0000000001F60000-0x0000000001F61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3164-524-0x0000000000580000-0x0000000000581000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3228-433-0x0000000001F50000-0x0000000001F51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3260-788-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3260-762-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3352-521-0x0000000001F60000-0x0000000001F61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3356-121-0x0000000010000000-0x0000000010097000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            604KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3356-90-0x00000000005A0000-0x00000000005A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3532-432-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3688-50-0x00000000004C0000-0x00000000004C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3688-59-0x0000000010000000-0x0000000010097000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            604KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3708-340-0x0000000002160000-0x0000000002161000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3716-125-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3716-151-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3900-396-0x0000000002170000-0x0000000002171000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4044-136-0x00000000005B0000-0x00000000005B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4044-143-0x0000000010000000-0x0000000010097000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            604KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4208-262-0x0000000002060000-0x0000000002061000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4228-365-0x0000000000540000-0x0000000000541000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4248-200-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4248-198-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4248-201-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4296-407-0x0000000002170000-0x0000000002171000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4348-71-0x00000000006C0000-0x00000000006C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4348-78-0x0000000010000000-0x0000000010097000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            604KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4364-137-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4436-68-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4652-58-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4652-57-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4652-60-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4792-230-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4792-214-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4860-231-0x0000000001F60000-0x0000000001F61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4864-752-0x00000000005B0000-0x00000000005B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/4980-342-0x0000000000690000-0x0000000000691000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5064-155-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5064-147-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5088-192-0x00000000006B0000-0x00000000006B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5088-210-0x0000000010000000-0x0000000010097000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            604KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5160-585-0x0000000002060000-0x0000000002061000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5452-600-0x0000000002170000-0x0000000002171000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5552-601-0x0000000001F10000-0x0000000001F11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5556-710-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5612-610-0x0000000001F50000-0x0000000001F51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5640-634-0x0000000000560000-0x0000000000561000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5644-727-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5716-633-0x0000000002170000-0x0000000002171000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5720-711-0x0000000002050000-0x0000000002051000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5776-728-0x00000000005B0000-0x00000000005B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5780-739-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5780-765-0x0000000000C80000-0x0000000000CA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            160KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5900-677-0x0000000002160000-0x0000000002161000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5912-694-0x0000000002260000-0x0000000002261000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/5916-655-0x0000000002140000-0x0000000002141000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/6072-656-0x0000000002270000-0x0000000002271000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/6176-766-0x0000000002270000-0x0000000002271000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/6216-767-0x0000000000550000-0x0000000000551000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Download