Analysis

  • max time kernel
    43s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 03:38

Errors

Reason
Machine shutdown

General

  • Target

    Chew7.exe

  • Size

    4.6MB

  • MD5

    7b232997942b2a5c7e4dbe931bb4c67c

  • SHA1

    06c6d3b5b66585f03bab25c774baadb575cb1515

  • SHA256

    0a88faa27484c7c163bc90fbf806a9dab84226c2f60f3410695278ee76d065f5

  • SHA512

    1959f3334af0061fac523e31fb030d77c13696977cc151453ca0546cc624d234b2198d141e61d597e0d3c2ff3068ad8f3d732dd477a5b535ccd56dd953588412

  • SSDEEP

    98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p

Malware Config

Signatures

  • Possible privilege escalation attempt 54 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 54 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 37 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chew7.exe
    "C:\Users\Admin\AppData\Local\Temp\Chew7.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im cmd.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
    • C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im hale.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\system32\hale.exe
      "C:\Windows\system32\hale.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hale.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\system32\cmd.exe
          "C:\Windows\Sysnative\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hale.cmd""
          4⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1844
          • C:\Windows\system32\reg.exe
            REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE
            5⤵
              PID:2968
            • C:\Windows\system32\find.exe
              FIND /I "HKEY_LOCAL_MACHINE\SOFTWARE\Chew7"
              5⤵
                PID:872
              • C:\Windows\system32\reg.exe
                REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /f
                5⤵
                  PID:2904
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1436
                  • C:\Windows\system32\reg.exe
                    REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled
                    6⤵
                      PID:1560
                  • C:\Windows\system32\tasklist.exe
                    TASKLIST /FI "IMAGENAME eq Chew7.exe"
                    5⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2844
                  • C:\Windows\system32\find.exe
                    FIND "Chew7.exe"
                    5⤵
                      PID:2320
                    • C:\Windows\system32\reg.exe
                      REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v LastAttempt /t REG_SZ /d install /f
                      5⤵
                        PID:2660
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2692
                        • C:\Windows\system32\reg.exe
                          REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
                          6⤵
                            PID:2916
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2932
                          • C:\Windows\system32\reg.exe
                            REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
                            6⤵
                              PID:2908
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName
                            5⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2920
                            • C:\Windows\system32\reg.exe
                              REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName
                              6⤵
                              • Modifies registry key
                              PID:2948
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c TIME /T
                            5⤵
                              PID:2896
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" ECHO.Windows 7 Ultimate 7601.17727.amd64fre.win7sp1_gdr.111118-2330"
                              5⤵
                                PID:1564
                              • C:\Windows\system32\find.exe
                                FIND "64"
                                5⤵
                                  PID:2988
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" ECHO.Windows 7 Ultimate 7601.17727.amd64fre.win7sp1_gdr.111118-2330"
                                  5⤵
                                    PID:3016
                                  • C:\Windows\system32\find.exe
                                    FIND "86"
                                    5⤵
                                      PID:2980
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" ECHO.AMD64"
                                      5⤵
                                        PID:2792
                                      • C:\Windows\system32\find.exe
                                        FIND "64"
                                        5⤵
                                          PID:2892
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" ECHO.AMD64"
                                          5⤵
                                            PID:1180
                                          • C:\Windows\system32\find.exe
                                            FIND "86"
                                            5⤵
                                              PID:1452
                                            • C:\Windows\system32\takeown.exe
                                              TAKEOWN /F "C:\Windows\winsxs"
                                              5⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:456
                                            • C:\Windows\system32\icacls.exe
                                              ICACLS "C:\Windows\winsxs" /GRANT *S-1-1-0:F
                                              5⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              PID:1880
                                            • C:\Windows\system32\takeown.exe
                                              TAKEOWN /F "C:\Windows\winsxs\Temp\PendingRenames"
                                              5⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2064
                                            • C:\Windows\system32\icacls.exe
                                              ICACLS "C:\Windows\winsxs\Temp\PendingRenames" /GRANT *S-1-1-0:F
                                              5⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              PID:756
                                            • C:\Windows\system32\reg.exe
                                              REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7
                                              5⤵
                                                PID:1916
                                              • C:\Windows\system32\find.exe
                                                FIND /I "IntervalSeconds"
                                                5⤵
                                                  PID:2020
                                                • C:\Windows\system32\reg.exe
                                                  REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds /t REG_DWORD /d 30 /f
                                                  5⤵
                                                    PID:2548
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds
                                                    5⤵
                                                      PID:3068
                                                      • C:\Windows\system32\reg.exe
                                                        REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds
                                                        6⤵
                                                          PID:2416
                                                      • C:\Windows\system32\reg.exe
                                                        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds /t REG_DWORD /d 1e /f
                                                        5⤵
                                                          PID:2212
                                                        • C:\Windows\system32\icacls.exe
                                                          ICACLS "C:\Windows\System32\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
                                                          5⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          PID:2396
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c crc32.exe 64\slmgr.vbs
                                                          5⤵
                                                            PID:952
                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                              crc32.exe 64\slmgr.vbs
                                                              6⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                              PID:916
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c crc32.exe 64\slmgr.vbs
                                                            5⤵
                                                              PID:1464
                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                crc32.exe 64\slmgr.vbs
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                PID:2492
                                                            • C:\Windows\system32\takeown.exe
                                                              TAKEOWN /F "C:\Windows\System32\slmgr.vbs"
                                                              5⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1732
                                                            • C:\Windows\system32\icacls.exe
                                                              ICACLS "C:\Windows\System32\slmgr.vbs" /GRANT *S-1-1-0:F
                                                              5⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              PID:2024
                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                              flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\27931.lck" "C:\Windows\System32\slmgr.vbs"
                                                              5⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                              PID:2200
                                                            • C:\Windows\system32\icacls.exe
                                                              ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
                                                              5⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1440
                                                            • C:\Windows\system32\icacls.exe
                                                              ICACLS "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
                                                              5⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              PID:1112
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c crc32.exe 32\slmgr.vbs
                                                              5⤵
                                                                PID:896
                                                                • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                  crc32.exe 32\slmgr.vbs
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                  PID:588
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c crc32.exe 32\slmgr.vbs
                                                                5⤵
                                                                  PID:1280
                                                                  • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                    crc32.exe 32\slmgr.vbs
                                                                    6⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                    PID:1700
                                                                • C:\Windows\system32\takeown.exe
                                                                  TAKEOWN /F "C:\Windows\SysWOW64\slmgr.vbs"
                                                                  5⤵
                                                                  • Possible privilege escalation attempt
                                                                  • Modifies file permissions
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2360
                                                                • C:\Windows\system32\icacls.exe
                                                                  ICACLS "C:\Windows\SysWOW64\slmgr.vbs" /GRANT *S-1-1-0:F
                                                                  5⤵
                                                                  • Possible privilege escalation attempt
                                                                  • Modifies file permissions
                                                                  PID:1572
                                                                • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                  flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\31111.lck" "C:\Windows\SysWOW64\slmgr.vbs"
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                  PID:1544
                                                                • C:\Windows\system32\icacls.exe
                                                                  ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
                                                                  5⤵
                                                                  • Possible privilege escalation attempt
                                                                  • Modifies file permissions
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1760
                                                                • C:\Windows\system32\icacls.exe
                                                                  ICACLS "C:\Windows\System32\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
                                                                  5⤵
                                                                  • Possible privilege escalation attempt
                                                                  • Modifies file permissions
                                                                  PID:2848
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c crc32.exe 64\slwga.dll
                                                                  5⤵
                                                                    PID:3052
                                                                    • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                      crc32.exe 64\slwga.dll
                                                                      6⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                      PID:2600
                                                                  • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                    bump -s:x89:x06:x85:xDB:x79 -r:x2B:xC0:x89:x06:xEB -o 64\slwga.dll
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                    PID:2628
                                                                  • C:\Windows\system32\find.exe
                                                                    FIND "changed"
                                                                    5⤵
                                                                      PID:1156
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c crc32.exe 64\slwga.dll
                                                                      5⤵
                                                                        PID:2620
                                                                        • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                          crc32.exe 64\slwga.dll
                                                                          6⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                          PID:2764
                                                                      • C:\Windows\system32\takeown.exe
                                                                        TAKEOWN /F "C:\Windows\System32\slwga.dll"
                                                                        5⤵
                                                                        • Possible privilege escalation attempt
                                                                        • Modifies file permissions
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2704
                                                                      • C:\Windows\system32\icacls.exe
                                                                        ICACLS "C:\Windows\System32\slwga.dll" /GRANT *S-1-1-0:F
                                                                        5⤵
                                                                        • Possible privilege escalation attempt
                                                                        • Modifies file permissions
                                                                        PID:2604
                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\2314.lck" "C:\Windows\System32\slwga.dll"
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                        PID:2260
                                                                      • C:\Windows\system32\icacls.exe
                                                                        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
                                                                        5⤵
                                                                        • Possible privilege escalation attempt
                                                                        • Modifies file permissions
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1124
                                                                      • C:\Windows\system32\icacls.exe
                                                                        ICACLS "C:\Windows\SysWOW64\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
                                                                        5⤵
                                                                        • Possible privilege escalation attempt
                                                                        • Modifies file permissions
                                                                        PID:1920
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c crc32.exe 32\slwga.dll
                                                                        5⤵
                                                                          PID:2380
                                                                          • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                            crc32.exe 32\slwga.dll
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                            PID:1088
                                                                        • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                          bump -s:x0C:x8B:x4D:x10 -r:x0C:x2B:xC9:x90 -o 32\slwga.dll
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                          PID:1276
                                                                        • C:\Windows\system32\find.exe
                                                                          FIND "changed"
                                                                          5⤵
                                                                            PID:2464
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c crc32.exe 32\slwga.dll
                                                                            5⤵
                                                                              PID:2912
                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                crc32.exe 32\slwga.dll
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                PID:1076
                                                                            • C:\Windows\system32\takeown.exe
                                                                              TAKEOWN /F "C:\Windows\SysWOW64\slwga.dll"
                                                                              5⤵
                                                                              • Possible privilege escalation attempt
                                                                              • Modifies file permissions
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1744
                                                                            • C:\Windows\system32\icacls.exe
                                                                              ICACLS "C:\Windows\SysWOW64\slwga.dll" /GRANT *S-1-1-0:F
                                                                              5⤵
                                                                              • Possible privilege escalation attempt
                                                                              • Modifies file permissions
                                                                              PID:948
                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                              flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\16862.lck" "C:\Windows\SysWOW64\slwga.dll"
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                              PID:2908
                                                                            • C:\Windows\system32\icacls.exe
                                                                              ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
                                                                              5⤵
                                                                              • Possible privilege escalation attempt
                                                                              • Modifies file permissions
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2936
                                                                            • C:\Windows\system32\icacls.exe
                                                                              ICACLS "C:\Windows\System32\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"
                                                                              5⤵
                                                                              • Possible privilege escalation attempt
                                                                              • Modifies file permissions
                                                                              PID:3016
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\sppwmi.dll
                                                                              5⤵
                                                                                PID:284
                                                                                • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                  crc32.exe 64\sppwmi.dll
                                                                                  6⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                  PID:852
                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                bump -s:xF4:xFF:xFF:x8B:xF8:x85:xC0 -r:xF4:xFF:xFF:x29:xFF:xFF:xC7 -o 64\sppwmi.dll
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                PID:3036
                                                                              • C:\Windows\system32\find.exe
                                                                                FIND "changed"
                                                                                5⤵
                                                                                  PID:2008
                                                                                • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                  bump -s:x41:x8B:x50:x10:x85:xD2 -r:x48:x31:xD2:x48:xFF:xC2 -o 64\sppwmi.dll
                                                                                  5⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                  PID:888
                                                                                • C:\Windows\system32\find.exe
                                                                                  FIND "changed"
                                                                                  5⤵
                                                                                    PID:2020
                                                                                  • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                    bump -s:x8B:x79:x14 -r:x83:xE7:x00 -o 64\sppwmi.dll
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                    PID:2416
                                                                                  • C:\Windows\system32\find.exe
                                                                                    FIND "changed"
                                                                                    5⤵
                                                                                      PID:2212
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c crc32.exe 64\sppwmi.dll
                                                                                      5⤵
                                                                                        PID:2268
                                                                                        • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                          crc32.exe 64\sppwmi.dll
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                          PID:2176
                                                                                      • C:\Windows\system32\icacls.exe
                                                                                        ICACLS "C:\Windows\SysWOW64\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"
                                                                                        5⤵
                                                                                        • Possible privilege escalation attempt
                                                                                        • Modifies file permissions
                                                                                        PID:760
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c crc32.exe 32\sppwmi.dll
                                                                                        5⤵
                                                                                          PID:1868
                                                                                          • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                            crc32.exe 32\sppwmi.dll
                                                                                            6⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                            PID:1164
                                                                                        • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                          bump -s:x89:x45:x10:x85:xC0:x7C:x66 -r:xC7:x45:x10:x01:x00:x00:x00 -o 32\sppwmi.dll
                                                                                          5⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                          PID:2128
                                                                                        • C:\Windows\system32\find.exe
                                                                                          FIND "changed"
                                                                                          5⤵
                                                                                            PID:744
                                                                                          • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                            bump -s:x8B:x41:x10:x83:xE8:x00 -r:x2B:xC0:x40:x90:x90:x90 -o 32\sppwmi.dll
                                                                                            5⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                            PID:2480
                                                                                          • C:\Windows\system32\find.exe
                                                                                            FIND "changed"
                                                                                            5⤵
                                                                                              PID:952
                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                              bump -s:x7C:x29:x8B:x45:x0C:x8B:x78:x14 -r:x90:x90:x8B:x45:x0C:x2B:xFF:x90 -o 32\sppwmi.dll
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                              PID:2288
                                                                                            • C:\Windows\system32\find.exe
                                                                                              FIND "changed"
                                                                                              5⤵
                                                                                                PID:324
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c crc32.exe 32\sppwmi.dll
                                                                                                5⤵
                                                                                                  PID:304
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                    crc32.exe 32\sppwmi.dll
                                                                                                    6⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                    PID:560
                                                                                                • C:\Windows\system32\icacls.exe
                                                                                                  ICACLS "C:\Windows\System32\user32.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"
                                                                                                  5⤵
                                                                                                  • Possible privilege escalation attempt
                                                                                                  • Modifies file permissions
                                                                                                  PID:1152
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c crc32.exe 64\user32.dll
                                                                                                  5⤵
                                                                                                    PID:632
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                      crc32.exe 64\user32.dll
                                                                                                      6⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                      PID:1268
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                    bump -s:xE9:xBA:xCC -r:xE9:xBA:xE9 -o 64\user32.dll
                                                                                                    5⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                    PID:1988
                                                                                                  • C:\Windows\system32\find.exe
                                                                                                    FIND "changed"
                                                                                                    5⤵
                                                                                                      PID:1064
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                      bump -s:xE9:xBA:xE3 -r:xE9:xBA:xE9 -o 64\user32.dll
                                                                                                      5⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                      PID:1112
                                                                                                    • C:\Windows\system32\find.exe
                                                                                                      FIND "changed"
                                                                                                      5⤵
                                                                                                        PID:2544
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                        bump -s:xBA:xE4:x02 -r:xBA:xE9:x02 -o 64\user32.dll
                                                                                                        5⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                        PID:620
                                                                                                      • C:\Windows\system32\find.exe
                                                                                                        FIND "changed"
                                                                                                        5⤵
                                                                                                          PID:3024
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                          bump -s:xE9:xBA:xE5 -r:xE9:xBA:xE9 -o 64\user32.dll
                                                                                                          5⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                          PID:2532
                                                                                                        • C:\Windows\system32\find.exe
                                                                                                          FIND "changed"
                                                                                                          5⤵
                                                                                                            PID:1568
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                            bump -s:xE9:xBA:xE7 -r:xE9:xBA:xE9 -o 64\user32.dll
                                                                                                            5⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                            PID:1576
                                                                                                          • C:\Windows\system32\find.exe
                                                                                                            FIND "changed"
                                                                                                            5⤵
                                                                                                              PID:1616
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                              bump -s:xE9:xBA:xE6 -r:xE9:xBA:xE9 -o 64\user32.dll
                                                                                                              5⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                              PID:1072
                                                                                                            • C:\Windows\system32\find.exe
                                                                                                              FIND "changed"
                                                                                                              5⤵
                                                                                                                PID:2356
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                bump -s:xE9:xBA:xE1 -r:xE9:xBA:xE9 -o 64\user32.dll
                                                                                                                5⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                PID:412
                                                                                                              • C:\Windows\system32\find.exe
                                                                                                                FIND "changed"
                                                                                                                5⤵
                                                                                                                  PID:2848
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                  bump -s:xE9:xBA:xE8 -r:xE9:xBA:xE9 -o 64\user32.dll
                                                                                                                  5⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                  PID:2600
                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                  FIND "changed"
                                                                                                                  5⤵
                                                                                                                    PID:2300
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                    bump -s:x00:xBA:xCE -r:x00:xBA:xE9 -o 64\user32.dll
                                                                                                                    5⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                    PID:2728
                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                    FIND "changed"
                                                                                                                    5⤵
                                                                                                                      PID:1156
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                      bump -s:x20:xBA:xE2 -r:x20:xBA:xE9 -o 64\user32.dll
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                      PID:1584
                                                                                                                    • C:\Windows\system32\find.exe
                                                                                                                      FIND "changed"
                                                                                                                      5⤵
                                                                                                                        PID:2592
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                        bump -s:xE9:xBA:xCB -r:xE9:xBA:xE9 -o 64\user32.dll
                                                                                                                        5⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                        PID:2624
                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                        FIND "changed"
                                                                                                                        5⤵
                                                                                                                          PID:2344
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                          bump -s:xBA:xCD -r:xBA:xE9 -o 64\user32.dll
                                                                                                                          5⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                          PID:2260
                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                          FIND "changed"
                                                                                                                          5⤵
                                                                                                                            PID:1124
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c crc32.exe 64\user32.dll
                                                                                                                            5⤵
                                                                                                                              PID:2652
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\user32.dll
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                PID:2884
                                                                                                                            • C:\Windows\system32\takeown.exe
                                                                                                                              TAKEOWN /F "C:\Windows\System32\user32.dll"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1996
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\user32.dll" /GRANT *S-1-1-0:F
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:1724
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                                                                              flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\4151.lck" "C:\Windows\System32\user32.dll"
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2468
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:2328
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\systemcpl.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:2940
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\systemcpl.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1520
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\systemcpl.dll
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                PID:2844
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x0F:x84:xFD -r:x90:xE9:xFD -o 64\systemcpl.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2660
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2692
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x0F:x84:xAD:x00:x00:x00 -r:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2264
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2972
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x48:x8D:x0D:x93:xAE:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:3016
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2580
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\systemcpl.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:816
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\systemcpl.dll
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                PID:1676
                                                                                                                            • C:\Windows\system32\takeown.exe
                                                                                                                              TAKEOWN /F "C:\Windows\System32\systemcpl.dll"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:756
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\systemcpl.dll" /GRANT *S-1-1-0:F
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:1080
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                                                                              flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\28129.lck" "C:\Windows\System32\systemcpl.dll"
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2564
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:3068
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\slui.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:2148
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\slui.exe
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2800
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\slui.exe
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                PID:2388
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\slui.exe
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:796
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\slui.exe
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                PID:812
                                                                                                                            • C:\Windows\system32\takeown.exe
                                                                                                                              TAKEOWN /F "C:\Windows\System32\slui.exe"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1164
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\slui.exe" /GRANT *S-1-1-0:F
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:3056
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                                                                              flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\8495.lck" "C:\Windows\System32\slui.exe"
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:980
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1252
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\sppcommdlg.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:2244
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2292
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\sppcommdlg.dll
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                PID:560
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:xFE:x4E:x75 -r:xFE:x4E:xEB -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:1672
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1756
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x4A:x7A -r:x4A:x65 -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2096
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1456
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x41:xB8:x2E -r:x41:xB8:x2C -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2068
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1580
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:xE8:x1A:x7E -r:xE8:x46:x91 -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:1864
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1320
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x8D:x4A:x7C -r:x8D:x4A:x65 -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:1280
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:356
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:xB8:x39 -r:xB8:x2C -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2532
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2032
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:xC7:x7D -r:xF3:x90 -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2676
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1760
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x4C:x8B:x44:x24:x60:x4C:x8D:x4C:x24:x48:x8B:xD6:x48:x8B:xCB:xE8:x37:xFA:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2356
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2820
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:xBF:x00:x00:x75 -r:xBF:x00:x00:xEB -o 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2724
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2632
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\sppcommdlg.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2784
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\sppcommdlg.dll
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                PID:2628
                                                                                                                            • C:\Windows\system32\takeown.exe
                                                                                                                              TAKEOWN /F "C:\Windows\System32\sppcommdlg.dll"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:2760
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\sppcommdlg.dll" /GRANT *S-1-1-0:F
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:2636
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                                                                              flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\28435.lck" "C:\Windows\System32\sppcommdlg.dll"
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:1292
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1040
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\sppuinotify.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:2168
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\sppuinotify.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2772
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\sppuinotify.dll
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                                PID:1608
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x78:x65 -r:xEB:x65 -o 64\sppuinotify.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:1996
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2444
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x83:xBC:x24:xB0:x00:x00:x00:x01:x0F:x95:xC0 -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:1060
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2468
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x81:x7F:x1C:x35:xF0:x04:xC0 -r:x3B:xC4:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                                                              PID:2904
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2856
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x78:x0B -r:x90:x90 -o 64\sppuinotify.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2952
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1520
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe
                                                                                                                              bump -s:x39:x7C:x24:x58:x0F:x94:xC0 -r:x40:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2660
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              FIND "changed"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1564
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\sppuinotify.dll
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2908
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\sppuinotify.dll
                                                                                                                                6⤵
                                                                                                                                • Loads dropped DLL
                                                                                                                                PID:2896
                                                                                                                            • C:\Windows\system32\takeown.exe
                                                                                                                              TAKEOWN /F "C:\Windows\System32\sppuinotify.dll"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1416
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\sppuinotify.dll" /GRANT *S-1-1-0:F
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:1452
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                                                                              flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\10221.lck" "C:\Windows\System32\sppuinotify.dll"
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:1168
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1880
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\winlogon.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:2548
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\winlogon.exe
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2408
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\winlogon.exe
                                                                                                                                6⤵
                                                                                                                                • Loads dropped DLL
                                                                                                                                PID:1792
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c crc32.exe 64\winlogon.exe
                                                                                                                              5⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2212
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                crc32.exe 64\winlogon.exe
                                                                                                                                6⤵
                                                                                                                                • Loads dropped DLL
                                                                                                                                PID:2156
                                                                                                                            • C:\Windows\system32\takeown.exe
                                                                                                                              TAKEOWN /F "C:\Windows\System32\winlogon.exe"
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:2144
                                                                                                                            • C:\Windows\system32\icacls.exe
                                                                                                                              ICACLS "C:\Windows\System32\winlogon.exe" /GRANT *S-1-1-0:F
                                                                                                                              5⤵
                                                                                                                              • Possible privilege escalation attempt
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:1900
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                                                                              flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\18428.lck" "C:\Windows\System32\winlogon.exe"
                                                                                                                              5⤵
                                                                                                                                PID:2304
                                                                                                                              • C:\Windows\system32\icacls.exe
                                                                                                                                ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"
                                                                                                                                5⤵
                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                • Modifies file permissions
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:2412
                                                                                                                              • C:\Windows\system32\icacls.exe
                                                                                                                                ICACLS "C:\Windows\System32\winver.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
                                                                                                                                5⤵
                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                • Modifies file permissions
                                                                                                                                PID:744
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c crc32.exe 64\winver.exe
                                                                                                                                5⤵
                                                                                                                                  PID:900
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                    crc32.exe 64\winver.exe
                                                                                                                                    6⤵
                                                                                                                                      PID:1932
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c crc32.exe 64\winver.exe
                                                                                                                                    5⤵
                                                                                                                                      PID:1464
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                        crc32.exe 64\winver.exe
                                                                                                                                        6⤵
                                                                                                                                          PID:2492
                                                                                                                                      • C:\Windows\system32\takeown.exe
                                                                                                                                        TAKEOWN /F "C:\Windows\System32\winver.exe"
                                                                                                                                        5⤵
                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                        • Modifies file permissions
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:2288
                                                                                                                                      • C:\Windows\system32\icacls.exe
                                                                                                                                        ICACLS "C:\Windows\System32\winver.exe" /GRANT *S-1-1-0:F
                                                                                                                                        5⤵
                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                        • Modifies file permissions
                                                                                                                                        PID:2404
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                                                                                        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\12651.lck" "C:\Windows\System32\winver.exe"
                                                                                                                                        5⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:2508
                                                                                                                                      • C:\Windows\system32\icacls.exe
                                                                                                                                        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
                                                                                                                                        5⤵
                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                        • Modifies file permissions
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:2052
                                                                                                                                      • C:\Windows\system32\icacls.exe
                                                                                                                                        ICACLS "C:\Windows\SysWOW64\winver.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
                                                                                                                                        5⤵
                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                        • Modifies file permissions
                                                                                                                                        PID:2332
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c crc32.exe 32\winver.exe
                                                                                                                                        5⤵
                                                                                                                                          PID:2068
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                            crc32.exe 32\winver.exe
                                                                                                                                            6⤵
                                                                                                                                              PID:1580
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c crc32.exe 32\winver.exe
                                                                                                                                            5⤵
                                                                                                                                              PID:1308
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe
                                                                                                                                                crc32.exe 32\winver.exe
                                                                                                                                                6⤵
                                                                                                                                                  PID:1864
                                                                                                                                              • C:\Windows\system32\takeown.exe
                                                                                                                                                TAKEOWN /F "C:\Windows\SysWOW64\winver.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                • Modifies file permissions
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:1396
                                                                                                                                              • C:\Windows\system32\icacls.exe
                                                                                                                                                ICACLS "C:\Windows\SysWOW64\winver.exe" /GRANT *S-1-1-0:F
                                                                                                                                                5⤵
                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                • Modifies file permissions
                                                                                                                                                PID:1712
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe
                                                                                                                                                flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\23544.lck" "C:\Windows\SysWOW64\winver.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:2520
                                                                                                                                              • C:\Windows\system32\icacls.exe
                                                                                                                                                ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
                                                                                                                                                5⤵
                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                • Modifies file permissions
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:2528
                                                                                                                                              • C:\Windows\system32\sfc.exe
                                                                                                                                                SFC /scanfile="C:\Windows\System32\wlms\wlms.exe"
                                                                                                                                                5⤵
                                                                                                                                                  PID:1616
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Users\Admin\AppData\Local\Temp\chewlog.txt""
                                                                                                                                                  5⤵
                                                                                                                                                    PID:628
                                                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                                                    FIND "FAIL:"
                                                                                                                                                    5⤵
                                                                                                                                                      PID:2684
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled /t REG_SZ /d TRUE /f
                                                                                                                                                      5⤵
                                                                                                                                                        PID:2820
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /d "\"C:\Windows\System32\hale.exe\" /nolog" /f
                                                                                                                                                        5⤵
                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                        • Modifies registry key
                                                                                                                                                        PID:412
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies registry key
                                                                                                                                                        PID:2724
                                                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                                                        FIND "c77351"
                                                                                                                                                        5⤵
                                                                                                                                                          PID:2300
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                                                                                                                                          5⤵
                                                                                                                                                          • Modifies registry key
                                                                                                                                                          PID:2728
                                                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                                                          FIND /I "/C START /MIN RD /S /Q"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:1156
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v "c77351" /d "\"C:\Windows\System32\cmd.exe\" /C START /MIN RD /S /Q \"C:\ProgramData\Microsoft\Windows\Pending\"^&EXIT" /f
                                                                                                                                                            5⤵
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            • Modifies registry key
                                                                                                                                                            PID:2612
                                                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                                                            TASKKILL /F /IM explorer.exe
                                                                                                                                                            5⤵
                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                            PID:3000
                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                            TIMEOUT /T 1e /NOBREAK
                                                                                                                                                            5⤵
                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                            PID:2608
                                                                                                                                                    • C:\Windows\System32\shutdown.exe
                                                                                                                                                      "C:\Windows\System32\shutdown.exe" /r /f /t 0 /d p:2:18
                                                                                                                                                      2⤵
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:864
                                                                                                                                                  • C:\Windows\system32\LogonUI.exe
                                                                                                                                                    "LogonUI.exe" /flags:0x0
                                                                                                                                                    1⤵
                                                                                                                                                      PID:2380
                                                                                                                                                    • C:\Windows\system32\LogonUI.exe
                                                                                                                                                      "LogonUI.exe" /flags:0x1
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2984

                                                                                                                                                      Network

                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                      Replay Monitor

                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                      Downloads

                                                                                                                                                      • C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl

                                                                                                                                                        Filesize

                                                                                                                                                        296B

                                                                                                                                                        MD5

                                                                                                                                                        7a3b8ec21ac9956ed258f5b397d281ab

                                                                                                                                                        SHA1

                                                                                                                                                        63cc8f5ca73640fa5fae2d20e69ce393a07a873d

                                                                                                                                                        SHA256

                                                                                                                                                        bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683

                                                                                                                                                        SHA512

                                                                                                                                                        ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c

                                                                                                                                                      • C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl

                                                                                                                                                        Filesize

                                                                                                                                                        296B

                                                                                                                                                        MD5

                                                                                                                                                        61975a8f1f2b5a9685c3aa2d921fbf8a

                                                                                                                                                        SHA1

                                                                                                                                                        5870879badbe315599676e138e06b7cccdcab03c

                                                                                                                                                        SHA256

                                                                                                                                                        113fe46916078dab361a7b96660179ef62694440bbed56436b63a43de6d29d80

                                                                                                                                                        SHA512

                                                                                                                                                        3820004d05a25d6094543d1b323dcbda0cb633c2f6873f8e12c455315a5d5567882a3ca6d3226dfbbcd3ee584ad9346228e32b1ef7ac3bed97c29f73e551f236

                                                                                                                                                      • C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl

                                                                                                                                                        MD5

                                                                                                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                        SHA1

                                                                                                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                        SHA256

                                                                                                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                        SHA512

                                                                                                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\32\gsr_0000.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        14KB

                                                                                                                                                        MD5

                                                                                                                                                        788a402d0fcc43662ba8b73c85c63c7f

                                                                                                                                                        SHA1

                                                                                                                                                        d5cec0d57a7516db6cdecbdc3d335db24444037b

                                                                                                                                                        SHA256

                                                                                                                                                        79950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60

                                                                                                                                                        SHA512

                                                                                                                                                        8c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\32\gsr_0000.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        116KB

                                                                                                                                                        MD5

                                                                                                                                                        0f97e6414569172cf3762b1b49427609

                                                                                                                                                        SHA1

                                                                                                                                                        32d1b503ac8b1d85e3097a3a80ea6e6204cfabc2

                                                                                                                                                        SHA256

                                                                                                                                                        46ee9e7a4cc656f5907031439ce11b5f189b8cfde60102b5a9f1786eba10558c

                                                                                                                                                        SHA512

                                                                                                                                                        288007562c9ce851826a036880f4007e37f51c4975113123ad4e08296808c22bf08cff30b53efaa3c0be5ca66e043cb85ce34a75d09021ea80dbd06633362f31

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\32\slwga.dll

                                                                                                                                                        Filesize

                                                                                                                                                        14KB

                                                                                                                                                        MD5

                                                                                                                                                        19f75d71e4256f5113d64ce2bb66b838

                                                                                                                                                        SHA1

                                                                                                                                                        d3b46cf10ccb0aaff8153c20c6aa2dc2627dee79

                                                                                                                                                        SHA256

                                                                                                                                                        da54cd8811bc71fafdd0d0b12b901747da752f49507edcc740cbbcc2ac3a340f

                                                                                                                                                        SHA512

                                                                                                                                                        a48e0759911f3b0e59736b2654e13c685aa1f2c058ddc2307f050ea6f891bb9382f2aae2cc7611e8a11b2b4c2635a53c52fd19597f932455ca2608998d9bc75c

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\32\sppwmi.dll

                                                                                                                                                        Filesize

                                                                                                                                                        116KB

                                                                                                                                                        MD5

                                                                                                                                                        5f5bb7c391d0e98338bf64b19c81f1ff

                                                                                                                                                        SHA1

                                                                                                                                                        8c275b466c4076d3c6fd9f62cf9e4a9f1342987a

                                                                                                                                                        SHA256

                                                                                                                                                        d8db4892ca7d736b1f51d96d1656ecce2361ee72308e7c2d0c2f9fe8725e464a

                                                                                                                                                        SHA512

                                                                                                                                                        e475a04f6379126f8289ee3360babe53ba62ae0345e51a22239cf8351abeb9b834c4912a69df57c5816a8ff9000bc41eba55121222c654d10b0386bbcac22aa0

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\gsr_0000.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        139KB

                                                                                                                                                        MD5

                                                                                                                                                        d745f0b3bfa805ccf82a6a883dd3e441

                                                                                                                                                        SHA1

                                                                                                                                                        e6807f4e035f25dc649fc9222252546b9d5512ca

                                                                                                                                                        SHA256

                                                                                                                                                        2b5de3ee2b03580f5f09cae530a9f92e6063727405e9906278badec0b6644450

                                                                                                                                                        SHA512

                                                                                                                                                        e6af029017a4ee84ceb724b00009fa18336c581941b4609b8ad011a46286394f22c9e410a08c876add1170b462db6d6504674d35243874cd0df427527c099259

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\gsr_0001.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        410KB

                                                                                                                                                        MD5

                                                                                                                                                        3201181b38256a815b911314c3871a9c

                                                                                                                                                        SHA1

                                                                                                                                                        1adfb13690a8c43f78fa300e2672e62d13febd9d

                                                                                                                                                        SHA256

                                                                                                                                                        c043d077818b2862f959c4c20888e6ef920d9509542f5140de0bc7d5d7beea1f

                                                                                                                                                        SHA512

                                                                                                                                                        882374a99ad570768ddb2426070804bb7765376c126fa9a6c29249f01a24a1b70315fb405a456a09fbaf46de1a630e3984c5d67338f6b5c61fde5a51dc71c8aa

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\gsr_0001.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        373KB

                                                                                                                                                        MD5

                                                                                                                                                        b798f38be4180a30248c9892ea9957e4

                                                                                                                                                        SHA1

                                                                                                                                                        2f31351a29d36dd87cb7463f869d6075588c0142

                                                                                                                                                        SHA256

                                                                                                                                                        c2ac36912654e2e6845c5308693611b754b0440cfb8ea5fc1ac03346fb4d08af

                                                                                                                                                        SHA512

                                                                                                                                                        5e61823127062861f9caa495ec4c4d11e3bf7687d3d2df5450c68faff2e311d369497e2d687e2e78994856b532856c03c84f9d20003ff2186223e2bd4d335796

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\gsr_0001.tmp

                                                                                                                                                        Filesize

                                                                                                                                                        64KB

                                                                                                                                                        MD5

                                                                                                                                                        3540689ec7512dbb54e0a516e3b13467

                                                                                                                                                        SHA1

                                                                                                                                                        6593eb5196196c42dbe77403cafd3ac9559d58fa

                                                                                                                                                        SHA256

                                                                                                                                                        556184133b2d6e2fd37d86e63bfac35932cb95c21ebcb03770977a445ddc0668

                                                                                                                                                        SHA512

                                                                                                                                                        77b04d09889f11c0e94d7412405f5cc24e87d2128c50a73ac1134f589097280b7588b095a141f82a88a6f03e78133a1d89484b53ecfd7cde6f627b1a1a53a4c4

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\slmgr.vbs

                                                                                                                                                        Filesize

                                                                                                                                                        110KB

                                                                                                                                                        MD5

                                                                                                                                                        38482a5013d8ab40df0fb15eae022c57

                                                                                                                                                        SHA1

                                                                                                                                                        5a4a7f261307721656c11b5cc097cde1cf791073

                                                                                                                                                        SHA256

                                                                                                                                                        ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

                                                                                                                                                        SHA512

                                                                                                                                                        29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\slwga.dll

                                                                                                                                                        Filesize

                                                                                                                                                        15KB

                                                                                                                                                        MD5

                                                                                                                                                        b6d6886149573278cba6abd44c4317f5

                                                                                                                                                        SHA1

                                                                                                                                                        2b309f9046bd884b63ecb418fe3ae56c2c82dd6f

                                                                                                                                                        SHA256

                                                                                                                                                        273c05c8504ca050fe6c50b50d15f32064ec6672ae85cde038976027ca4b14d3

                                                                                                                                                        SHA512

                                                                                                                                                        56352f53e5c88d9c22188480a5cf4d744857774f56e08b53898cda00a235a6be9b3134dc5b58ae2531b06664f6f09c3ec242e227b3dd2235299290805428ff40

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\slwga.dll

                                                                                                                                                        Filesize

                                                                                                                                                        15KB

                                                                                                                                                        MD5

                                                                                                                                                        7edc3c01ffe76fbe4f88ed6cf7e93d2a

                                                                                                                                                        SHA1

                                                                                                                                                        28f447f52c3601f5771d1d6af8177acc5d18dfc4

                                                                                                                                                        SHA256

                                                                                                                                                        a55cf293afe484a4831bf1921bf8a8a60f27cb83f7b5660859f48cb5fe64dbb7

                                                                                                                                                        SHA512

                                                                                                                                                        003a1531aa00623db7bc17a4b5aeff66255c427b1b7f2577ac6893336395807e8c06dc61fafb5bab187999f71d807ab5beacd1ebdd4690a1a32b54e15c84dfe8

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\64\sppwmi.dll

                                                                                                                                                        Filesize

                                                                                                                                                        139KB

                                                                                                                                                        MD5

                                                                                                                                                        85eebb24b18781a3d4a8558d8c294a6e

                                                                                                                                                        SHA1

                                                                                                                                                        03a6659983cf14e9b2334df9fd32e49079998364

                                                                                                                                                        SHA256

                                                                                                                                                        85d17a0a081907c2c5c0eb856a8639704af47bb7bba508101b3a1c23f742a885

                                                                                                                                                        SHA512

                                                                                                                                                        4fc93cd158891b356eca4b2e719fb825e0aa0b55d705bfddbcad256727a3099c8cc79e4292656b57364f2495b0937241715946b815c4bf61bfd00f6df65b956b

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\arch.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        558B

                                                                                                                                                        MD5

                                                                                                                                                        379f17168f80eb977a0ae103dac9de98

                                                                                                                                                        SHA1

                                                                                                                                                        5cd7f4ec26366e2777fc5d5059009f7872fbb8de

                                                                                                                                                        SHA256

                                                                                                                                                        7257349f727d176425f3854bbb7624ec3ec4422e872fbdd025420e9791f99897

                                                                                                                                                        SHA512

                                                                                                                                                        543b8fa7aa3fc95a01568348f3c0ce22cf804cf4451af38858e0b5e3691f7d9a1ea1bcd51a9e3edd1e9a187224861c9cb49fd23c0e9737ad5a78b2dcf4c89c83

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exe

                                                                                                                                                        Filesize

                                                                                                                                                        19KB

                                                                                                                                                        MD5

                                                                                                                                                        2d9a30606a718bfdb4e5e9b6c2939881

                                                                                                                                                        SHA1

                                                                                                                                                        298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

                                                                                                                                                        SHA256

                                                                                                                                                        1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

                                                                                                                                                        SHA512

                                                                                                                                                        c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.exe

                                                                                                                                                        Filesize

                                                                                                                                                        3KB

                                                                                                                                                        MD5

                                                                                                                                                        682ac7bb084c88e73d628cdf57dff336

                                                                                                                                                        SHA1

                                                                                                                                                        652fb5d2fd9467f1ebf5bb3ba7a5daee87b62e0f

                                                                                                                                                        SHA256

                                                                                                                                                        d9c72a8ceccb6d73dad98ef44495738286286e85102e033fe7f09069bc02fba2

                                                                                                                                                        SHA512

                                                                                                                                                        2c599a1b11f476bb0e1c9bc2b4b30125ebe1e819fbd41c30c10c6770177f2d6ddc4dd91d1ee813a9223e6879accd4fa99dd5a46c8f1723acb7e63b2831e2ae9d

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exe

                                                                                                                                                        Filesize

                                                                                                                                                        38KB

                                                                                                                                                        MD5

                                                                                                                                                        2e2827ba66bfe75bc2fe2d0a02eecc73

                                                                                                                                                        SHA1

                                                                                                                                                        97e85467a9a24a89ab9d2969d5cb7275083c04f2

                                                                                                                                                        SHA256

                                                                                                                                                        4cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb

                                                                                                                                                        SHA512

                                                                                                                                                        006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\godo.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        1KB

                                                                                                                                                        MD5

                                                                                                                                                        92ce8cbf009cea52544956d2cc6a810f

                                                                                                                                                        SHA1

                                                                                                                                                        1ab78049064fd7b6c4b775c2edf70ec58486c563

                                                                                                                                                        SHA256

                                                                                                                                                        89f1e56537b38e367a79c33d75d3a2913ff249d7623363dc48f373eb1b8b14ad

                                                                                                                                                        SHA512

                                                                                                                                                        4de7c8a79fc7c89dce59ec5071ef214af84d5c9e9a3a82956e13c5e2df0a2759a1413970d47cc156d98134992ff6ce43d4d862840190629fa24eed42f4f6dbc8

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hale.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        423B

                                                                                                                                                        MD5

                                                                                                                                                        6ce66570bfab35a20d280d9833049e97

                                                                                                                                                        SHA1

                                                                                                                                                        fc9e4248551156ba80e515e78d3496429754aae2

                                                                                                                                                        SHA256

                                                                                                                                                        c755237b5c58134ff21520f7d2d401e5c9ad40d05dc76fe317ffd238ecafecf2

                                                                                                                                                        SHA512

                                                                                                                                                        1870e653f7132e23b9a1c078b6a6931e6bff6682e8da7325eed20ffef800dbc21e71ff28e5447fc871715c07cc4e8986196a637d855550515feac168c72984b3

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hash.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        96B

                                                                                                                                                        MD5

                                                                                                                                                        467b51f35949c5a3f722ba736ce920e4

                                                                                                                                                        SHA1

                                                                                                                                                        525638ae64c3d2e3518c7b1debc661a251b8d285

                                                                                                                                                        SHA256

                                                                                                                                                        6c28fa6bf656b77085b464485fd085d4d6eeb7e3a0ff2dff690dc813b492580c

                                                                                                                                                        SHA512

                                                                                                                                                        93d6c5a3eaaecd4d461654c09d4771217570139d39d0dbd06b1593965c7f4196e94594f8156b50ce58830e0694abf5e0e30d6c2ed63e5f482c5c797f22bc4c59

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\intv.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        402B

                                                                                                                                                        MD5

                                                                                                                                                        3ab983628da0fd9f8afd497d07f33d76

                                                                                                                                                        SHA1

                                                                                                                                                        1d85342e56d1e5d90a10aeb9bde0232250187169

                                                                                                                                                        SHA256

                                                                                                                                                        97754ba105cd61128ebef8aab5272f669a72b64f44b6d861c8d507c088410a27

                                                                                                                                                        SHA512

                                                                                                                                                        65da3d80645d943d4717e8b340bb9ce3e26f07e63b9db7c1d27f68ddf9f3696ba9e0475301e13e93f841558834e4b8fee5452ef220503fe41d70057c5f55da8e

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\lhed.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        659B

                                                                                                                                                        MD5

                                                                                                                                                        34670db25d9afd4f3912f77f2e5c7d08

                                                                                                                                                        SHA1

                                                                                                                                                        a59646f18b9a365067f9163f2319e219883334d2

                                                                                                                                                        SHA256

                                                                                                                                                        a4761b5a5f5e6542867ba1caa87676410b7aedccd762826359046167771659ff

                                                                                                                                                        SHA512

                                                                                                                                                        069204ff649adec9a4b5029bf8b99c3cb324da3306f9bd9bb350883576efbda65fea445b5d7a1cb3bdcffa66b11be22415d5def1ecca25af19839a22360d5a29

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\mtmp.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        106B

                                                                                                                                                        MD5

                                                                                                                                                        02d7ebad35b5624a751243d101a540ce

                                                                                                                                                        SHA1

                                                                                                                                                        4f9f0e0d47c78511ca88776fc86ece16055df66e

                                                                                                                                                        SHA256

                                                                                                                                                        7686c1b97d3f80d042aac35d82b5e5b558a494ae3e0e35de81a47c413d9020ac

                                                                                                                                                        SHA512

                                                                                                                                                        04fc1f935dd996ed1528c9bdf33e783a14a327e4f4477caa1fd5b9312cd3c37792c99b7364e7142284a161fc8c1ff146ca338aea2f1981b27aacf5b95d9e1387

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\ownc.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        568B

                                                                                                                                                        MD5

                                                                                                                                                        f16f9a87e6a9f18921a30ac379b81995

                                                                                                                                                        SHA1

                                                                                                                                                        3e02237a1b2640138a14d47e2781b8bf8051ad08

                                                                                                                                                        SHA256

                                                                                                                                                        9177bac8288a592264dd90d2c956433a8818f1a34a5d864bd626df3fde0e0cfa

                                                                                                                                                        SHA512

                                                                                                                                                        e60013c4bd894d7426680653653599e335fcfe70a3f5da8b54b443134250853a9755acd3a49aa46ec4b017fe3db403e5c7ddbb4bcfa320825c2067a77fc6760f

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\plat.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        450B

                                                                                                                                                        MD5

                                                                                                                                                        18e656cb3dd56af78ac3c58c7018145a

                                                                                                                                                        SHA1

                                                                                                                                                        8d6ce19ea492834e65949a7299ebc8e87ff4e484

                                                                                                                                                        SHA256

                                                                                                                                                        a18f490dfe451f8c14eaf07951292cc45318073ddbac65b18831668f48d811b2

                                                                                                                                                        SHA512

                                                                                                                                                        2292eaa0ac027c5b8bb1a5c838d40ace1b723f2962284b26087c52817b2b7db3ef05cbecfe1899d9a2f226292f3bb4409633c9d007facfef8673135b8ae4c148

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\plog.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        145B

                                                                                                                                                        MD5

                                                                                                                                                        d638644c3bb80f1e98ae06fa85680eb1

                                                                                                                                                        SHA1

                                                                                                                                                        96d95338be3be4a24d999b82d1e00ccfd797614b

                                                                                                                                                        SHA256

                                                                                                                                                        e8a990623424631496704087d29f05300bc5efabb47c94ffe7f6bd46d803b587

                                                                                                                                                        SHA512

                                                                                                                                                        1349049890363c7ff3a5213e063a1dbc898cf8c85933066c34b0d88b33b6b1964751e9b470af504a62898c870f4dfeee9858aadc336c1f33485e81e89ef1de1a

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\radd.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        113B

                                                                                                                                                        MD5

                                                                                                                                                        0ca0566671854f45d316877cb3b9563b

                                                                                                                                                        SHA1

                                                                                                                                                        75ea44bb67f797281703030b2989e91c2723ddb6

                                                                                                                                                        SHA256

                                                                                                                                                        048e766ffd49a6ea2fe280dc3f949c1173b439b0367137972fb6f8196c6ad8f3

                                                                                                                                                        SHA512

                                                                                                                                                        12c6e3b76dbf2ea7c631a86010f77467e173cd497af0ce2e8f8fe95986ad4558c950928d4a3fe7fe28d82ca4d29f1c79aeddd0096b1792b6b015264b1a70a51f

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\setv.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        2KB

                                                                                                                                                        MD5

                                                                                                                                                        adbb4c4121d770efc7154f06fe476a42

                                                                                                                                                        SHA1

                                                                                                                                                        2ca33c200eb09e8619936997211d8894dadc3694

                                                                                                                                                        SHA256

                                                                                                                                                        6a8233f58dcdffd51292b753688848198982c5de11945651f165d1174e570372

                                                                                                                                                        SHA512

                                                                                                                                                        380c291625ee88a1a7dca67b6a27d393cdf1fc4a60349f413071f584f86372c420bc46467251147ef766c92349751db1cea594a69b6dd6fc0fb67e0d13630697

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\tick.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        8KB

                                                                                                                                                        MD5

                                                                                                                                                        d32c42e48ddee14fddd78bae6866cfc2

                                                                                                                                                        SHA1

                                                                                                                                                        350a4c21e021c6fd3393793f22158e5c73deb2c1

                                                                                                                                                        SHA256

                                                                                                                                                        7ba5af7f29496e9c5eb780cd484623ecaf0443299ea9693261516dfb60401266

                                                                                                                                                        SHA512

                                                                                                                                                        615c7f837e1588b709f19570a5a6f43554133df67de950367152230626f303da5cdd0359b888eb3febb80ac1321a91256e1c61d5eb2aabfc3c5ab3c1cfa94996

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\town.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        309B

                                                                                                                                                        MD5

                                                                                                                                                        574958530816e546394dbc025d8a08eb

                                                                                                                                                        SHA1

                                                                                                                                                        dbdfb40357f60bb6bc4575806f1f924a11302205

                                                                                                                                                        SHA256

                                                                                                                                                        81ebb38c6e13f2b695cc1cf42ff6f6a1a836270325c2b14a76d4ed5d7ee718da

                                                                                                                                                        SHA512

                                                                                                                                                        088c2bb7b8de936bcc9118ce993bda38344556d8bbd2c0737321042751cf3d0edb730c2fb9fe0bb745694205c68fefcc303907bde02a8b58ae15de23f7dc09c1

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\tran.cmd

                                                                                                                                                        Filesize

                                                                                                                                                        1KB

                                                                                                                                                        MD5

                                                                                                                                                        8ff2a0df0d5a63f3a7061ec919ba6344

                                                                                                                                                        SHA1

                                                                                                                                                        f70cabc248d4ec9849657d39dda784717e355c70

                                                                                                                                                        SHA256

                                                                                                                                                        c0cd5f9fc6d23442bc1b81e9e6efb3e2abbeb744863bbb2106e2dd679bf039d7

                                                                                                                                                        SHA512

                                                                                                                                                        96cb5a166da63e1d8b92f5a205c0c0ef616288d242f7c173f20015dde1d56e6a60e948ad32e5f3242e2fe6ae2e0659cf9e6e999748d7afd3003abd66abe15913

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\wslmt.dll

                                                                                                                                                        Filesize

                                                                                                                                                        105KB

                                                                                                                                                        MD5

                                                                                                                                                        2ba3a706f9e5b8a30dd84f53b022a8ee

                                                                                                                                                        SHA1

                                                                                                                                                        3aa34c784f16a4f8a5f2b58265f926660b3317f4

                                                                                                                                                        SHA256

                                                                                                                                                        fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55

                                                                                                                                                        SHA512

                                                                                                                                                        ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8

                                                                                                                                                      • C:\Windows\SysWOW64\winver.exe

                                                                                                                                                        Filesize

                                                                                                                                                        1KB

                                                                                                                                                        MD5

                                                                                                                                                        517a63ea2af1a35de43b9677e197d3e2

                                                                                                                                                        SHA1

                                                                                                                                                        75cce1d13e9f008fd18046d49cc4997b65092cde

                                                                                                                                                        SHA256

                                                                                                                                                        7f034a0a09d38bf561cd22b8064b18e0b70970a471c0b3a5517324916802407d

                                                                                                                                                        SHA512

                                                                                                                                                        6f29840690bb456192581e001dcaaf10f3f9b6ca986c3936994ddde1d623129c6dbeecae3a2e26720c20ef8f6ce1662debc04fc06fa17139f8ceb9e34c6b3dea

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        72B

                                                                                                                                                        MD5

                                                                                                                                                        c8c5679bef306d697cb41059120db0af

                                                                                                                                                        SHA1

                                                                                                                                                        f96628021383fc9789949802bca3156a38e78e52

                                                                                                                                                        SHA256

                                                                                                                                                        d693f31e544041ab9d914ff177e341013f076e98768cedda2826f67b3a0d18bd

                                                                                                                                                        SHA512

                                                                                                                                                        01fc88fe94f3553b7c0fb25e5e0fea294ee2333aaa0eaaebf42479955babba786a9472da0ff92b22a6bfa3b51a0755a937e5bc4b70357975de6d6371d5e145d0

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        138B

                                                                                                                                                        MD5

                                                                                                                                                        c7bea4fbf5891b26260127afb7533ca2

                                                                                                                                                        SHA1

                                                                                                                                                        1e0e98c226fac9e3e876bae454441209c4ba8ab0

                                                                                                                                                        SHA256

                                                                                                                                                        cc0bd093b79708af3c2dad5f57920961c180692dc35f9cb39dde22b69f7d5616

                                                                                                                                                        SHA512

                                                                                                                                                        ac99234b0f353b19c487d122ea53a168ffeddc1a49bf65b05a1582185ba250976df06ff889a8db5ef16fab830c02c3f0526acd47104bf5aa1ddaa87dc143950b

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        552B

                                                                                                                                                        MD5

                                                                                                                                                        f2d504a607de292f182d60a5d9e4999e

                                                                                                                                                        SHA1

                                                                                                                                                        91f7994209cb2b60b514066b5d0a42776a395709

                                                                                                                                                        SHA256

                                                                                                                                                        4950dfae742ecab9d8e89be47354abef3acabe5a55ec91187cd572f4a5f15872

                                                                                                                                                        SHA512

                                                                                                                                                        376411b8360dac5282c18d6dfbb66e75f61376b39ba05df970520ecffcf05d9a3ee69c55c4c71300f9877c43f9a7086c68a4eb4921359aa3f3e39940b818e151

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        2KB

                                                                                                                                                        MD5

                                                                                                                                                        1c33249d6c150a09afb8087002f52074

                                                                                                                                                        SHA1

                                                                                                                                                        b409fa9092b830bf9c605adabc17bc91f70dcf8c

                                                                                                                                                        SHA256

                                                                                                                                                        c62d520f26c02d8c3dc0cb264fe9094491b83ca7c1c7270872ddf30ee88fb1da

                                                                                                                                                        SHA512

                                                                                                                                                        b7683716d506c4ff9f31c6011c938fa6fc7e749be7d737e903c696b95254b3b65d4a68c9af405da3f03190d371c4e11a6faa95ee53613d3d2bb72541d52d0c8d

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        2KB

                                                                                                                                                        MD5

                                                                                                                                                        c8b99ad44da7a89087ce7422d8f8247e

                                                                                                                                                        SHA1

                                                                                                                                                        eec118f0b9097642dd0ba227abca7e128a21b126

                                                                                                                                                        SHA256

                                                                                                                                                        fbb9890f72efcf8ffa8f2d576da522c630b59384a55dd64f279014b8c533c3b1

                                                                                                                                                        SHA512

                                                                                                                                                        439ff954fb44c7e245fffca2312f5ecb1496176f14f6b679fb633d766634ca15507bece3458333eceb43068c7f8852d24ff6c9df880d4243a7b5bed57c9fdecf

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        2KB

                                                                                                                                                        MD5

                                                                                                                                                        1bda73b95a26eac4c772151f3c7e6884

                                                                                                                                                        SHA1

                                                                                                                                                        d9fa7a57e47ae338d1967eca06a609264d267080

                                                                                                                                                        SHA256

                                                                                                                                                        9a73ca98fe5393663ccec7a2a6708ba98086d6e363afa056e5fa28bfbc44020b

                                                                                                                                                        SHA512

                                                                                                                                                        ae3daa430e431799d22f15f85fd2686b6bec89b5b5d03c680350ede217562a9434989291a16039a86b40610abf98e7d3f6c66873aeb25232b2718fc4d2748a40

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        3KB

                                                                                                                                                        MD5

                                                                                                                                                        c5284c7d2f7b432917d9d4438bc5b36b

                                                                                                                                                        SHA1

                                                                                                                                                        0d512150d3199045efe79afe72da6dde58007dd7

                                                                                                                                                        SHA256

                                                                                                                                                        9c5befb32014629130498d6d634c94f6b075527e9b1e2308b09fbc53baf3eae7

                                                                                                                                                        SHA512

                                                                                                                                                        f21a88d32b22b2517abca0586ea123a1104ae4b3d1d553412602571afa46213068873b5374ac844822ed15bc52ced3bf853321c479e3a92c2bbd475d4415f18e

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        3KB

                                                                                                                                                        MD5

                                                                                                                                                        d6ba2d246d194416b3eec380d4a0c83b

                                                                                                                                                        SHA1

                                                                                                                                                        923fd60b4692a031ee2ff88969de7ce7bc210c7c

                                                                                                                                                        SHA256

                                                                                                                                                        9eb3d5d9d91eaeb1fc56d3a36d142515ac629d03d44eec6918232c5a2c5a6d87

                                                                                                                                                        SHA512

                                                                                                                                                        8dcc5dab9d8787cd243d41815d34fd30686355ca2a1a114cee4219a6dbe245392b0c10178d1802e74c15b286fcf6696bfd2e7d0f845633135d84a921b464d91a

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        4KB

                                                                                                                                                        MD5

                                                                                                                                                        1720bd5ab05a4a5ca4e4a7d87aa9c295

                                                                                                                                                        SHA1

                                                                                                                                                        925eaaa3eefd25c12c65144a55798e0c90627c4f

                                                                                                                                                        SHA256

                                                                                                                                                        64556f0df4467d77cab8ee411986a8fb911cf4cc05543d5a9d6be57302eb4d9d

                                                                                                                                                        SHA512

                                                                                                                                                        24a497611ff047da753c1ffbe378752b2628cb3e7cdaf858e3683b56d5f6f7a4f343b18f8eadd8eaa17e6535888c76044915086cbd6484de7460c59e8e5762cc

                                                                                                                                                      • C:\Windows\System32\cwlog.dtl

                                                                                                                                                        Filesize

                                                                                                                                                        28B

                                                                                                                                                        MD5

                                                                                                                                                        38c983879e5d98fef44e8e0538fc7c21

                                                                                                                                                        SHA1

                                                                                                                                                        1117731974d46d5a8cc25364e0b05f7e2a3ec11c

                                                                                                                                                        SHA256

                                                                                                                                                        4c447aafb91fce5872a5e2cd1cc86e7557f1765314fa2ed1a7aa0cb98054c81b

                                                                                                                                                        SHA512

                                                                                                                                                        d1a38ca9bad5f24d590e351c0fd59703d8c5508eeca127dca4a1ccc852e4be92ce4add9fa31ca140cd2701498e9f5635f5465958059efe53d90ce80c09c95431

                                                                                                                                                      • C:\Windows\System32\hale.exe

                                                                                                                                                        Filesize

                                                                                                                                                        2.1MB

                                                                                                                                                        MD5

                                                                                                                                                        2469decec0e28cb3c83e7fc47cb4ad12

                                                                                                                                                        SHA1

                                                                                                                                                        6409fce7b0f64b3297346a5c82a632ce61d7fe8a

                                                                                                                                                        SHA256

                                                                                                                                                        e4d7bb65281a62e905eb2e7aef466525a24403079d4579029847d75142b48282

                                                                                                                                                        SHA512

                                                                                                                                                        2a00232f62b13e6678068cbd9ba2621a4157c0a0baa70dc19349623c21fab770b897db003811ef83a27c45fd988d04637baad54c63d22b1c4bcbc08fb208d1eb

                                                                                                                                                      • C:\Windows\System32\slui.exe

                                                                                                                                                        Filesize

                                                                                                                                                        341KB

                                                                                                                                                        MD5

                                                                                                                                                        4a70dc889e9b792b83c68348709d3edd

                                                                                                                                                        SHA1

                                                                                                                                                        826791f1b69bb85b5f6155982e03bccdb7c22eed

                                                                                                                                                        SHA256

                                                                                                                                                        3c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f

                                                                                                                                                        SHA512

                                                                                                                                                        a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a

                                                                                                                                                      • C:\Windows\System32\user32.dll

                                                                                                                                                        Filesize

                                                                                                                                                        984KB

                                                                                                                                                        MD5

                                                                                                                                                        d186babdfae7c0d93c9f6ae63957ee96

                                                                                                                                                        SHA1

                                                                                                                                                        3bae058e194bab58eb0da58ac4189f8594294388

                                                                                                                                                        SHA256

                                                                                                                                                        74e5f9e83d89c0bd78dbd2873455ef1c9fdd6110d274c82ed82259fd51acb893

                                                                                                                                                        SHA512

                                                                                                                                                        26c7c2305183079dcd12074f4c405ba37ca60fe507db7d363b11c70b7fe9337bee4dff6a3cb5f58f5d8f025a360627e1285a20e75937527ebd131234b6e04c75

                                                                                                                                                      • C:\Windows\System32\winlogon.exe

                                                                                                                                                        Filesize

                                                                                                                                                        380KB

                                                                                                                                                        MD5

                                                                                                                                                        87a00ed70fec36d0dd968e5058c29aa1

                                                                                                                                                        SHA1

                                                                                                                                                        9d9e8c4f35b0b5d6077d71eb279bb3195c71979b

                                                                                                                                                        SHA256

                                                                                                                                                        c64c7af3688e9557e7b115375c3c3a41fd2e469ff9ac39eb549b3fe9bcba3315

                                                                                                                                                        SHA512

                                                                                                                                                        f5e5c7fe4a4f40e747aeacd12290a9b841486560566a0a70821b39cb60501e88c7acf8427128a02c088a43ccbec609ba09fa84e2b8ac3bb15be4ceae69e7a4a8

                                                                                                                                                      • C:\Windows\System32\winver.exe

                                                                                                                                                        Filesize

                                                                                                                                                        2KB

                                                                                                                                                        MD5

                                                                                                                                                        b6d47606cc11ba2c58f12fe01983f77c

                                                                                                                                                        SHA1

                                                                                                                                                        a7046870240beb9555991020981d398af7ac56e8

                                                                                                                                                        SHA256

                                                                                                                                                        e6746e6f90d311bb769394ea1247f04f669184a08ecb2a8b237aa5185414dc1b

                                                                                                                                                        SHA512

                                                                                                                                                        729962ac9d8cc2bdfc8f1d2f66e9aeddaef819d9d6b6e4aa235196045558c0ff0ffa0925e7e0a1ebf608ee886d58e1dea91fda82456da25ee1fde65547fbee11

                                                                                                                                                      • memory/356-625-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/412-437-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/620-409-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/756-526-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/796-557-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/816-524-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/888-326-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1060-701-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1072-430-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1112-402-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1164-559-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1276-275-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1280-624-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1320-617-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1456-601-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1520-718-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1520-499-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1564-726-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1576-423-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1580-609-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1584-458-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1672-592-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1756-593-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1760-641-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/1864-615-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1988-395-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/1996-693-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2032-633-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2068-608-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2096-600-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2128-358-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2260-472-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2264-514-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2288-374-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2292-585-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2356-648-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2416-332-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2444-694-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2468-702-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2480-368-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2532-632-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2532-416-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2580-523-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2600-444-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2624-465-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2628-234-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2632-657-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2660-506-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2660-725-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2676-640-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2692-507-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2724-656-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2728-451-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2760-660-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2772-686-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2784-658-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2800-552-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2812-14-0x0000000000400000-0x0000000000BB0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        7.7MB

                                                                                                                                                      • memory/2812-893-0x0000000000400000-0x0000000000BB0000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        7.7MB

                                                                                                                                                      • memory/2820-649-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2856-710-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/2876-899-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.6MB

                                                                                                                                                      • memory/2876-6-0x000007FEF6A5E000-0x000007FEF6A5F000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        4KB

                                                                                                                                                      • memory/2876-4-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.6MB

                                                                                                                                                      • memory/2876-897-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.6MB

                                                                                                                                                      • memory/2876-2-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.6MB

                                                                                                                                                      • memory/2876-1-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.6MB

                                                                                                                                                      • memory/2876-5-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.6MB

                                                                                                                                                      • memory/2876-3-0x000007FEF67A0000-0x000007FEF713D000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        9.6MB

                                                                                                                                                      • memory/2876-0-0x000007FEF6A5E000-0x000007FEF6A5F000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        4KB

                                                                                                                                                      • memory/2904-709-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2952-717-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/2972-515-0x0000000077940000-0x0000000077A3A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1000KB

                                                                                                                                                      • memory/3016-522-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB

                                                                                                                                                      • memory/3036-316-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        40KB