a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e

Resubmissions

11/09/2024, 19:15

240911-xyhb5axgpl 8

11/09/2024, 19:12

240911-xwla1ayblb 8

Analysis

max time kernel
275s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Size

1.0MB
MD5

7c3e5f4c1e0e14f51b6f5a19ba6e1bae
SHA1

73745c924a5f61fe1f9e489bbe6534c5c95c2452
SHA256

a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e
SHA512

e1416d9005285894b68aec509fd86ee5b8c320f80da3db8fdd8bce708fd0cd8fff2ce1c6fb9017c359b9169421be28a646f8179b78e79387da18c86d1eb56a5b
SSDEEP

24576:yJeo26y1eqAyY6fNC1TvD3v8BsOQRsnbP5u:K92NC1TLz0bPs

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1104	powershell.exe
624	powershell.exe
3060	powershell.exe
2140	powershell.exe
3724	powershell.exe
4772	powershell.exe
3976	powershell.exe
4856	powershell.exe
3920	powershell.exe
2224	powershell.exe
3284	powershell.exe
1544	powershell.exe
2108	powershell.exe
1376	powershell.exe
2016	powershell.exe
724	powershell.exe
4584	powershell.exe
4788	powershell.exe
3500	powershell.exe
3484	powershell.exe
2860	powershell.exe
60	powershell.exe
4224	powershell.exe
3216	powershell.exe
4012	powershell.exe
1912	powershell.exe
1240	powershell.exe
1308	powershell.exe
1392	powershell.exe
2444	powershell.exe
772	powershell.exe
1220	powershell.exe
5112	powershell.exe
3148	powershell.exe
1328	powershell.exe
4376	powershell.exe
3772	powershell.exe
1864	powershell.exe
2876	powershell.exe
3268	powershell.exe
4872	powershell.exe
1272	powershell.exe
3868	powershell.exe
1280	powershell.exe
1048	powershell.exe
1640	powershell.exe
3484	powershell.exe
2332	powershell.exe
4820	powershell.exe
464	powershell.exe
4552	powershell.exe
3464	powershell.exe
4464	powershell.exe
4852	powershell.exe
1772	powershell.exe
3484	powershell.exe
4740	powershell.exe
1952	powershell.exe
4448	powershell.exe
5020	powershell.exe
5020	powershell.exe
4348	powershell.exe
4584	powershell.exe
2224	powershell.exe

Checks computer location settings 2 TTPs 37 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 36 IoCs

pid	Process
2360	Setup.exe
5084	Setup.exe
4424	Setup.exe
2376	Setup.exe
212	Setup.exe
5064	Setup.exe
1376	Setup.exe
3948	Setup.exe
4876	Setup.exe
1284	Setup.exe
2860	Setup.exe
4032	Setup.exe
1944	Setup.exe
2336	Setup.exe
1648	Setup.exe
2552	Setup.exe
1704	Setup.exe
456	Setup.exe
2884	Setup.exe
3416	Setup.exe
3176	Setup.exe
4936	Setup.exe
2452	Setup.exe
392	Setup.exe
5040	Setup.exe
2708	Setup.exe
2664	Setup.exe
316	Setup.exe
4724	Setup.exe
4348	Setup.exe
4812	Setup.exe
3168	Setup.exe
3212	Setup.exe
4276	Setup.exe
3296	Setup.exe
780	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 35 IoCs

pid	pid_target	Process	procid_target
3252	2360	WerFault.exe	83
1376	5084	WerFault.exe	101
1412	4424	WerFault.exe	118
2168	2376	WerFault.exe	132
4976	212	WerFault.exe	145
780	5064	WerFault.exe	157
64	1376	WerFault.exe	169
3060	3948	WerFault.exe	181
5072	4876	WerFault.exe	193
1956	1284	WerFault.exe	205
3956	2860	WerFault.exe	217
1112	4032	WerFault.exe	229
1424	1944	WerFault.exe	242
4184	2336	WerFault.exe	255
2096	1648	WerFault.exe	267
1996	2552	WerFault.exe	279
4584	1704	WerFault.exe	291
3124	456	WerFault.exe	303
2124	2884	WerFault.exe	315
1188	3416	WerFault.exe	327
1200	3176	WerFault.exe	339
672	4936	WerFault.exe	351
2564	2452	WerFault.exe	363
740	392	WerFault.exe	375
2180	5040	WerFault.exe	387
2108	2708	WerFault.exe	399
4360	2664	WerFault.exe	411
4004	316	WerFault.exe	423
2264	4724	WerFault.exe	435
1320	4348	WerFault.exe	447
1600	4812	WerFault.exe	459
4264	3168	WerFault.exe	471
4364	3212	WerFault.exe	483
1820	4276	WerFault.exe	495
672	3296	WerFault.exe	507

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	powershell.exe
624	powershell.exe
1376	powershell.exe
1376	powershell.exe
436	powershell.exe
436	powershell.exe
3492	powershell.exe
3492	powershell.exe
4224	powershell.exe
4224	powershell.exe
5032	powershell.exe
5032	powershell.exe
4772	powershell.exe
4772	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
1272	powershell.exe
1272	powershell.exe
2444	powershell.exe
2444	powershell.exe
4740	powershell.exe
4740	powershell.exe
2836	powershell.exe
2836	powershell.exe
1952	powershell.exe
1952	powershell.exe
4604	powershell.exe
4604	powershell.exe
2860	powershell.exe
2860	powershell.exe
1712	powershell.exe
1712	powershell.exe
1104	powershell.exe
1104	powershell.exe
3208	powershell.exe
3208	powershell.exe
1912	powershell.exe
1912	powershell.exe
2224	powershell.exe
2224	powershell.exe
888	powershell.exe
888	powershell.exe
1776	powershell.exe
1776	powershell.exe
4788	powershell.exe
4788	powershell.exe
1876	powershell.exe
1876	powershell.exe
1240	powershell.exe
1240	powershell.exe
2016	powershell.exe
2016	powershell.exe
772	powershell.exe
772	powershell.exe
3696	powershell.exe
3696	powershell.exe
4352	powershell.exe
4352	powershell.exe
1812	powershell.exe
1812	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2360	Setup.exe
5084	Setup.exe
4424	Setup.exe
2376	Setup.exe
212	Setup.exe
5064	Setup.exe
1376	Setup.exe
3948	Setup.exe
4876	Setup.exe
1284	Setup.exe
2860	Setup.exe
4032	Setup.exe
1944	Setup.exe
2336	Setup.exe
1648	Setup.exe
2552	Setup.exe
1704	Setup.exe
456	Setup.exe
2884	Setup.exe
3416	Setup.exe
3176	Setup.exe
4936	Setup.exe
2452	Setup.exe
392	Setup.exe
5040	Setup.exe
2708	Setup.exe
2664	Setup.exe
316	Setup.exe
4724	Setup.exe
4348	Setup.exe
4812	Setup.exe
3168	Setup.exe
3212	Setup.exe
4276	Setup.exe
3296	Setup.exe
780	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2360	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	83
PID 2352 wrote to memory of 2360	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	83
PID 2352 wrote to memory of 2360	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	83
PID 2360 wrote to memory of 4252	2360	Setup.exe	87
PID 2360 wrote to memory of 4252	2360	Setup.exe	87
PID 2360 wrote to memory of 4252	2360	Setup.exe	87
PID 4252 wrote to memory of 624	4252	cmd.exe	90
PID 4252 wrote to memory of 624	4252	cmd.exe	90
PID 4252 wrote to memory of 624	4252	cmd.exe	90
PID 2360 wrote to memory of 1996	2360	Setup.exe	92
PID 2360 wrote to memory of 1996	2360	Setup.exe	92
PID 2360 wrote to memory of 1996	2360	Setup.exe	92
PID 1996 wrote to memory of 1376	1996	cmd.exe	94
PID 1996 wrote to memory of 1376	1996	cmd.exe	94
PID 1996 wrote to memory of 1376	1996	cmd.exe	94
PID 2360 wrote to memory of 1424	2360	Setup.exe	95
PID 2360 wrote to memory of 1424	2360	Setup.exe	95
PID 2360 wrote to memory of 1424	2360	Setup.exe	95
PID 1424 wrote to memory of 436	1424	cmd.exe	97
PID 1424 wrote to memory of 436	1424	cmd.exe	97
PID 1424 wrote to memory of 436	1424	cmd.exe	97
PID 2352 wrote to memory of 5084	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	101
PID 2352 wrote to memory of 5084	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	101
PID 2352 wrote to memory of 5084	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	101
PID 5084 wrote to memory of 2804	5084	Setup.exe	102
PID 5084 wrote to memory of 2804	5084	Setup.exe	102
PID 5084 wrote to memory of 2804	5084	Setup.exe	102
PID 2804 wrote to memory of 3492	2804	cmd.exe	104
PID 2804 wrote to memory of 3492	2804	cmd.exe	104
PID 2804 wrote to memory of 3492	2804	cmd.exe	104
PID 5084 wrote to memory of 1412	5084	Setup.exe	109
PID 5084 wrote to memory of 1412	5084	Setup.exe	109
PID 5084 wrote to memory of 1412	5084	Setup.exe	109
PID 1412 wrote to memory of 4224	1412	cmd.exe	111
PID 1412 wrote to memory of 4224	1412	cmd.exe	111
PID 1412 wrote to memory of 4224	1412	cmd.exe	111
PID 5084 wrote to memory of 2664	5084	Setup.exe	112
PID 5084 wrote to memory of 2664	5084	Setup.exe	112
PID 5084 wrote to memory of 2664	5084	Setup.exe	112
PID 2664 wrote to memory of 5032	2664	cmd.exe	114
PID 2664 wrote to memory of 5032	2664	cmd.exe	114
PID 2664 wrote to memory of 5032	2664	cmd.exe	114
PID 2352 wrote to memory of 4424	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	118
PID 2352 wrote to memory of 4424	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	118
PID 2352 wrote to memory of 4424	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	118
PID 4424 wrote to memory of 1912	4424	Setup.exe	120
PID 4424 wrote to memory of 1912	4424	Setup.exe	120
PID 4424 wrote to memory of 1912	4424	Setup.exe	120
PID 1912 wrote to memory of 4772	1912	cmd.exe	123
PID 1912 wrote to memory of 4772	1912	cmd.exe	123
PID 1912 wrote to memory of 4772	1912	cmd.exe	123
PID 4424 wrote to memory of 3656	4424	Setup.exe	124
PID 4424 wrote to memory of 3656	4424	Setup.exe	124
PID 4424 wrote to memory of 3656	4424	Setup.exe	124
PID 3656 wrote to memory of 4872	3656	cmd.exe	126
PID 3656 wrote to memory of 4872	3656	cmd.exe	126
PID 3656 wrote to memory of 4872	3656	cmd.exe	126
PID 4424 wrote to memory of 1236	4424	Setup.exe	127
PID 4424 wrote to memory of 1236	4424	Setup.exe	127
PID 4424 wrote to memory of 1236	4424	Setup.exe	127
PID 1236 wrote to memory of 5112	1236	cmd.exe	129
PID 1236 wrote to memory of 5112	1236	cmd.exe	129
PID 1236 wrote to memory of 5112	1236	cmd.exe	129
PID 2352 wrote to memory of 2376	2352	a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe	132

C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe
"C:\Users\Admin\AppData\Local\Temp\a9c2f7d21516a2bdc18e7174dfebf79f9f9ff89f812bb2f0ac8c2a0a2b7fd04e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1320
    3⤵
    - Program crash
    PID:3252
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1020
    3⤵
    - Program crash
    PID:1376
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1276
    3⤵
    - Program crash
    PID:1412
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:4976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 764
    3⤵
    - Program crash
    PID:2168
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1440
    3⤵
    - Program crash
    PID:4976
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:4420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 832
    3⤵
    - Program crash
    PID:780
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:5040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:3976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1348
    3⤵
    - Program crash
    PID:64
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3312
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 812
    3⤵
    - Program crash
    PID:3060
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:3216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 816
    3⤵
    - Program crash
    PID:5072
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1296
    3⤵
    - Program crash
    PID:1956
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:2116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1120
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1020
    3⤵
    - Program crash
    PID:3956
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:3668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:3820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 824
    3⤵
    - Program crash
    PID:1112
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:3912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1216
    3⤵
    - Program crash
    PID:1424
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1272
    3⤵
    - Program crash
    PID:4184
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 812
    3⤵
    - Program crash
    PID:2096
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:3168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:3244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1324
    3⤵
    - Program crash
    PID:1996
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:3224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:3720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1364
    3⤵
    - Program crash
    PID:4584
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 944
    3⤵
    - Program crash
    PID:3124
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:3772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:3420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1360
    3⤵
    - Program crash
    PID:2124
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1356
    3⤵
    - Program crash
    PID:1188
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:1252
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 952
    3⤵
    - Program crash
    PID:1200
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:4872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:1856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 816
    3⤵
    - Program crash
    PID:672
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      System Location Discovery: System Language Discovery
      PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      PID:452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 892
    3⤵
    - Program crash
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      System Location Discovery: System Language Discovery
      PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:2716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1324
    3⤵
    - Program crash
    PID:740
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 828
    3⤵
    - Program crash
    PID:2180
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:4352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1380
    3⤵
    - Program crash
    PID:2108
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:4172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:3168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:3368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:60
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1324
    3⤵
    - Program crash
    PID:4360
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:4772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      PID:528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 812
    3⤵
    - Program crash
    PID:4004
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 928
    3⤵
    - Program crash
    PID:2264
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:60
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 812
    3⤵
    - Program crash
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:3772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 964
    3⤵
    - Program crash
    PID:1600
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:3312
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:3368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 808
    3⤵
    - Program crash
    PID:4264
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:4020
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1436
    3⤵
    - Program crash
    PID:4364
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1320
    3⤵
    - Program crash
    PID:1820
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:1076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      PID:400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionPath C:
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 1336
    3⤵
    - Program crash
    PID:672
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe Add-MpPreference -ExclusionExtension '.zip'
      4⤵
      System Location Discovery: System Language Discovery
      PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2360 -ip 2360
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5084 -ip 5084
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4424 -ip 4424
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2376 -ip 2376
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 212 -ip 212
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5064 -ip 5064
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1376 -ip 1376
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3948 -ip 3948
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4876 -ip 4876
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1284 -ip 1284
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2860 -ip 2860
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4032 -ip 4032
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1944 -ip 1944
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2336 -ip 2336
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1648 -ip 1648
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2552 -ip 2552
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1704 -ip 1704
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 456 -ip 456
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2884 -ip 2884
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3416 -ip 3416
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3176 -ip 3176
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4936 -ip 4936
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2452 -ip 2452
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 392 -ip 392
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5040 -ip 5040
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2708 -ip 2708
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2664 -ip 2664
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 316 -ip 316
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 4724 -ip 4724
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4348 -ip 4348
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 4812 -ip 4812
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 3168 -ip 3168
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3212 -ip 3212
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4276 -ip 4276
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 3296 -ip 3296
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
56c9e0a588d583c954c8aeb49018f11f

SHA1
cd4714ae75a848d2e3e69ffe61537d628d77d384

SHA256
89c5fd01ed1d9bc21791fc1eaf0acd62e22a2b4dc91035b7891e54ff6e8eaca4

SHA512
ef98a9d0ec74d126411cf7382836d9383c73577ac30b4fbb8c0e80151f92e1c16b3810a3699dd0b76a8b2a12ac95bd40a36ba2c0f029e679e91bae413592ceba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5e66591f2d67e8970fe0902dd7c9a769

SHA1
f3e8be20c33e9dd69c22d6bf9ca39cb559924bf3

SHA256
8781398ff80fd6dd8d2af939c81e51981b4043c999bd52ce9685ddb8f83b89f3

SHA512
34ff83fc8d925588c4964d88c7133a0b4e65b934e84901d967f27a65e2523ad74e643a6b1dae903bc4c19b45fc4a946917e41681e4f6c3b8bad9aa57856cfd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5cb8b4e0b7f35d32b47877c36a3a4b02

SHA1
30f35d2a5ce34a5e20709cebb7f328dfd00b002b

SHA256
d5e5ab7d7fa7c42b4659e284e4241ea69fe8bda86d17dcb43b6ad5c6445afc91

SHA512
6c31aa97153a1e4077d7dcf40adffd023704cd6a43d427b370773553c4a25c1bf66bbc65e23dfebcbcdf91cc310d05e04fa87f8bc67182f70938458da7a3b906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
47bbbbf319703d6e6845e4149867be0d

SHA1
65452617f91dc9d1e51284354c5918e5afb96601

SHA256
8e34159fce8b4d9c5fd8b63520435f9b205160dd28ce822fbf447f6d29845ff6

SHA512
6ac6accf5daf40c1d6a938cdcc2fc2888da05dfe035d46c7e9297197a1f082aabb6ab04f520bdf7bffa854f4f0e429b1816622d1c6ba074b7cdf4923a33e5631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ac471aa9fecb7034fd4c21ef6a0eb95a

SHA1
92c770bc3644aa65bd1607f57c818b85deffef03

SHA256
98a1762f98bf24df9877b278c668d0a8ca6aefa618d0d28edbdb3fafb77a9274

SHA512
77b0627b184ca21f9a04eddb7b2e2a5506c4dfb0bb9d20616de839336b2545891f780f0060d8ec2738ef8f5e1f29329641970d517ac2d08c0eb4a668198fdbdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
391d3cc8b6d6d7bcf40e5c48eabc5d74

SHA1
b93ff77eb22979ff56ccfc294382056d2c7bdc62

SHA256
34464e641cba69bc01131ad04cd12ded98609219b06d3bf388985587d74fa09d

SHA512
6e386ebb1067c1a8a167ccb1da20ce8db21e19553c65548cc2ae068bb5849d2c820003e36ff363c4a9f6c3ce2d45f703ec93677630e2967c1bc42b6349143697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1c765a893e038a1a8679b2ab9d0dd43e

SHA1
7259512a473c9f6962b6637f63ed5609f14efc5b

SHA256
55ebb3ba60f5c4134fd74d9e74e52894ec3b0b44c1426108f9cd9fcc15bbd005

SHA512
d093e94aa89132a68b9dea946bf98c8b25e47491ed052df3146b4210d493cdcdfea1b811ee320f82296ecd383c08077a6f66b5afdd22eeb4a4ce6049c48cce2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d56f5a3445f88de17eea04f29a2379dd

SHA1
c09627b463bb276e9d3110c905504aac8fb24d0a

SHA256
43a32c7f668098e99cf2f09ca4a9bbe6c35eabeba2d5992bf7d9429b4498cb2e

SHA512
62d47c40c3acf9eab5e68eac44b6399f4e5a4131e56fb42c46a9dc3da2a65090c8d0b8937b9496d47c2a1dbc11027dde1bf93c9325a84459412ae91ef9938f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
02cb2165e2c0daf74b082da6198dfd64

SHA1
11e6d15b2d48c02bb5cd68585f913b428f0f40b6

SHA256
3495b9f5cb51428e477c6cbbffec2a46dd1f84798de0dd3a0bb50f59de4c817d

SHA512
8fbde52bfc2279e2fda2121b02c8460c0655c07cfeae859430dd34a56006e791d25080a139955bc062a4860592dff7d04e245dca39d3b4adf91f312f51f64f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8681965e3f42ce363597d951ca2eed99

SHA1
f1d09df951007747cde64b65d62d8cd6b001b957

SHA256
e26cf00f9de9acb24f86a81aa67bb642e683beacd3c012b522559debaf78a652

SHA512
4018ca816a312cc7d23a6629d8b9c266e3deae7423246c14c7f007d28f95b771eac720da8ca5d4e4ea3b9daf122aa6e5c7bace0e319050b0401d8d3065039acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c477c68ea2bd7ae5f21b9881038dd557

SHA1
a343e76501bf754328aa65bef85c338801fde76a

SHA256
56cb011c6eb5f57b914f36bf7e227babc1dd9e6370cf51e9ee931a0f59a69e26

SHA512
5aa311afe30c0413cfdb1ecbb7f762fd88370fa822b5f390c37b6a9ce9b5ee1bce6c429dcb2df9a27089fa637feddc13e5c8ea83b0a31f4aaba3d0c0396652a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8972f6d79d45d6ddb011490831b9d4c2

SHA1
047211899ccaefb0c2ecd1e6b79813ae215388bd

SHA256
1a688064fd887dba5cfe92eb600d5252cb5186141b7d21349376963039ce7cef

SHA512
05bfe156fe1ff91e1bd6697353e57a8c30b4de3e5adb113b8e441a261e953e95d29bc06bb9c6363da2a84dca8bc97ee4e9401028a97517195550f97833196402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7b537a2b39051a8c36e634ccfb7c4a21

SHA1
df66f0c308e0576a5ae1ad46646719204637f860

SHA256
f6e8d6f93a7026e27211485be6c3ed69d2ccac54fef24f19bcfca00c0958e73c

SHA512
aaa1c6cca0c6ff6b88f6063d6a597127bfadfe0105b15e749531bf9fda833fc1d51091eb00dce68b291f60c866dd55d26f48cbb9e8b0f6c235b04907e00c0f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a24e474e5df92995c74134a7acde3a38

SHA1
c3945af80eb4a0cd97c60acfeec0bf5488d18d84

SHA256
d199e10069284a5e998130a41dec62769ed9f0e74c2e7697b0d1f1ce9c9b8c42

SHA512
81fef52a134d1c6370f50b569f5d7c66ef5e6bb61faebc3238cb3960b75bffb6eb0d59f282a62e63cbb2b723284d34be9cfb38d7d9c5d3645908031968937101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
04b7599d3070644b629d9a996058f516

SHA1
1c13788472a5047711ac2beabd330752f13d94dc

SHA256
2c182e433480e59adfdd8b4a22b53f82bac140d5f899b1c76e38ba126db106ce

SHA512
ea9a2e2c0736eb41b7690de4f065dbf6e3d9ee41271da9c901c81cffb8096727e9a3c7bfb975eaab49cdc2d02ab3bf13f4586ba7db2d0f9e84c98fdb14d71772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ad9e5dd7df0d5b5d16f63fb653e30ca0

SHA1
b446dc11eeaeb01657538728909d5a656eeb2a89

SHA256
f9b5362200e402f15ea9c1279ae6543f0f698038d1e8e6f8960e7f7cc5599647

SHA512
31943b80cc2dc1d49c6aa0a268f415138e72debc059b74e41058cc89f76f1a71380ba175ba28a379eba113441f0af8eca628db1b07621f0e85015a56c3eac77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d0f9266f7da8587bce85408bea3ce175

SHA1
9be0f8b5a60cf2fde7555e206e5dcb332c577907

SHA256
fc8cda2ec607eab4824a64cc6f331e9b7cf43a65fdf874615b1c9fc463cecbff

SHA512
77c6304263553dcefc6938e8bf2d420d547ed93bd837ead56be510c01083b3f5aa9b6ae9aca5cbeb59179e52150bbb1820018a3128491fa6a0b61299fa43947f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5f1b55c82f14ca6f5de7c4b2ec89a61e

SHA1
a5792e4f07fb7b51763f1bd826f4fb03cfc74e25

SHA256
d17f28ddaa7abf8ed8bf43b0bbbfeed8c157943a199568c507c533e63381f6af

SHA512
67bfb768f552d0d430a40787e196f7f96dfb9fb8957a9d6893522b223bb0f40eddb08082b2e328d0bd014d7d4af331e715858e19b4df33b42a013d28eef33ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3ac4855a8d0f4130801c9a80bc30550b

SHA1
7d8cc6da179bb187beacfa62413bb6fcff13d951

SHA256
f1f13e864bbb4e64b70198e71561bdaf3307f799f59d4a919033fdd5585c4749

SHA512
771dc7cf85aca16203f4c1695486412ebd53e4e8b56f9dde6c9c3ecc6dd37c71f1bf9b2c4aa49ae9ec19adecc4032458cb05273b9c268760237b9b9be4479b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f2ab5f6cc67db2b6a1d40de797424c1a

SHA1
020051b381a087957abf86933d4e1abb26c8f0ea

SHA256
ca1939442d3146beb356069e8bdec01e3650eb3b101343d8f55f47f5bf54ae40

SHA512
2eaccb30aea5cb24a90f83be791eb68328a1cb11e4ce2f39ac96eb1f75b048e151bb0e8a1e63638a7dc2cebc7ff072afa6fdbf24c71cfa59cf2727cdde642abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2e652045c33e392597a3cd9ae79cd70f

SHA1
df69c48d6ccdf64702885c23ad65f19cd8feffc4

SHA256
a5b4c012db63e7a8c38742f1c0543e88448c32cf4fc2311b124ef6948e47e0e4

SHA512
fff1f53a7a43d01c29e7e7bec9b87fe1b6c2089fa5d5b8fd3d2e268d55dfd2c8e83e0cfe8af479b13c5198bb3f7a8eb2bdecb32edd96f033fbc1681f89590f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7d9b650b734b43f7f570e7ef30273238

SHA1
98f6076f020995035f9edf6fc54600f5a1cd0a45

SHA256
e74f7a61dc4be3558dc9f1cf1ab4eb15afe12b0a9a32bc223fb074daf4460ec3

SHA512
e5a56fc01732e38bf5ad2a91363d5a502ae0a989bf05dd63620539e854f03bb41d72a781ec0c08a69e83b1099280bcf3cfa3d1f67ceaa28d382dc352a01ef2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
70c5ed1cd1130fb1af683a9d78e74fc6

SHA1
ca1d990d6bc13f3858268ed75802982b68aaf694

SHA256
80d12ebda39dc7d21677ae2c5f528eb380888a03f88470c6cb226054fc07606b

SHA512
4f9e59cd37a7a93eb39f98ea919737c781014c854e0e048bb3175b16d81573945f3d97e672b72a3e4c2a45ac17216fb8c588a7ffc3c743e2c83866ebd308a9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
20aee42497a74b4734ae6550f285c978

SHA1
7bd431d3d85063b8dadffc764da5f3dcc3af1f4d

SHA256
e63d961ff663f92ad40c08eea40faa459c012d82f1c56f0f20bb905237cb7591

SHA512
cfd60756f96cca06fe52ab46b38901abdfa036438ce8f925420dd9ca1ae4c1b4e610ee6e5c011d8bac9c80529349316ce0499eb5b3c945c3da7ce50425f34028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0215c76f9a5804253870ae826b089a7d

SHA1
4a9c58d1ef06ce7b3ddc7b911cf866b9828f9f0e

SHA256
5591c91148b44f6ec4fc9860310c957db66ab1f1d23ba2878060724e68af8c5c

SHA512
cd8d3ec701ad4606e570d0944a102a2eca76e2a051f78206e8d919f923ee8901ee8b3cb3c1cbabc97e4a36a63bdbb49afb8481373a334c020cb45f61e21497a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
04c8e18a51deb3e45cde6ea1b2e97720

SHA1
e277c678b24f58ec7fbaafe6f66942f43ef88929

SHA256
c9319b4f17b7f5a143538d1fc7b45846bf3d82ef250cb64703fceacffab01450

SHA512
169a99ad9354b2085e9273fa9c1da516870862b897fd9cf1cfc5a85d1bfc8bf96ab06386a182f58ed2b73f9015602bc89fa9c2b9e59f6d10efeafe152f9ff629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ea12425f0cc76a0ac6a5a9db075b5960

SHA1
aebe0fcf99a7f00cad17dbf3ae823635053711a8

SHA256
358269041b5acb12c80bf8d00f0022c664c1858dea8c8485412c24f104970c38

SHA512
bb2461a2be8e2a744053cf4bb36fb01824ea5a6c9053632ee0057ed0b69b7114baa6b0bb18292289261604caf8295d2910d8d89f9be48b864c50054ead847836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
11981e8787c78cabc4f0b1d93350b337

SHA1
81667d3e10ec3f0792d2406a5efd8a2c55490f40

SHA256
6766fe9493d7b870db0cba9890f6a376c99cd853902e8fcca8b1405fbf4262fc

SHA512
6ec50f7bdf5c7ac8b93b572b03fa69512cb495baf55f3b360f141af79b6c88eb73c5bd38da682f419e27bdc81d4fa4b07c7b6a6f5150ec544a0b06786ee586bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3b7c91bd39bc64feaf0332d7f0550207

SHA1
e3a2e5ba5cca5a83f3114d6fc8ef728497a21645

SHA256
7933a62d1bb5108ae5c2d0d1a22d4783c4524fcdaff88d0ecb80688e02d27ffc

SHA512
b09d9002dbddf5c190498fc6adc2dac5d9731ae142669263236807a0b192ff21b0d99e98beaf3e0dd2d4bd65db87d826a16bc0aff2a4cfc1d3a76f98bec3bcb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1096ae4371661e5d8187930438242235

SHA1
b4d0a84e678de5baeb8a0cd88ed35a031c57aa65

SHA256
69deda6194865f9a8ab6a28f348c469a09914d9bc5299459ce14f94985fc9469

SHA512
3f27b799206782273aacd91460a602ebb2b4302ccf481ac42aa7e0243cc2bf3fd53071f62878069bfa33187b8e9931055169f87d782c8253114c183fa5da7198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6ced70cba586356cef7af0491bfab13a

SHA1
00d75e32a3aae79727444524505508040fb21475

SHA256
979bf60674b8ace1f2363b266199cc2f30b68232b0ea54f0d203a7c5afd2f4c1

SHA512
3964335499912167d43735eb81312972aada2dd1ca42a1e5402a3d3fb94d83b98835aaf67afa9c14f128e8870f6d36c6efda1ee03d4763f75eb6b92a70417fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5d62c88bb360e2227ed8f03716579a07

SHA1
e91773576685a3dd96d7e0d9ccf8ca5f11e4b6a2

SHA256
f2368dbcf4b6220a4ef4e16c7f79b17222422a8c89443b411e4f0002a09a1f64

SHA512
7ea8a33b2f977cb5032deb716e2e531c00f24b5e42941d9b0de59a0e6e6cb04567bdd69237bad06f62235cb59ba3dd4b51a2e8acbaeee4a04a6e0b978e795bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9ebbd89f4ee56f20999527f3fe7d0470

SHA1
434666b56f431cb5546bdc3efba9d98386922328

SHA256
958ec8f3d039b5b1a0ceda0cbe1003de754d1ab2ec90ad26ebaa70862141a5ec

SHA512
2f981801ad23f20e969bde248611232eb151103ac9c2ce3412fc6767da61514c77f89e0e14092a531c7f1a3537504c75a3943d5bf0aa3a9f81ed1d18e783e576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
16c02874fc0501138aef6c0905174827

SHA1
da5b563d8794f53b131a943acd2f09185443853b

SHA256
eea358aafdbe307f6241421dc0a8477bc03a6a23d959c8564adcd8cadb6c9ff5

SHA512
82df17aff149a0702f5bd56374c91815961a9917648d9f99c8b91cdd9e00c54149e65311002ab41213a356d0f8c22a57d1d1f0fbf33c948852c4a046239fee66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8f07f7697676c04bdfa496afe49a19b9

SHA1
95593085038a24b17d378451a2f393ee8e90b517

SHA256
5f18877970b3af6e2638592683eaa29e517f48c8f9e043abd0e978fb0b98e15a

SHA512
4ad98f05bf556dce55856b40a158e7f24ce88f2a4c3ea3a97e953a9f4466fedb7dc07f66fcc968523f5c28c358d6f7471898027258bc00f552b69f11c57bf53a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b8bfe7aa121945a752009a14358e2d10

SHA1
56afacc65d28067702682e0be15e114940321a9b

SHA256
b563b4c9ef28bdbc1395b0fc2528f74392d00d81857e818eb6155c898bfbec6f

SHA512
9d328fd2c570ffd04a28e9cb227a441ea537fa7aa34d60b9641130c698c8a0d28c2b0ed00cb49c105e3ffa0e0436acfc9ff6b8edddfe34e22fd554269e94e439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
917e39a4156aa9341c9ceaf8f4b4fb2c

SHA1
acb6d0c257511e456a7286f71fc3256cff1e5544

SHA256
e5eec6640f3d1cb57f6641558f42b1313c1be9071deb07d7a11637befcd8c548

SHA512
bb27685913d9b6e51ff3f996dea6f58f7aa9afd84f26d9b3e8e0b992adc72e8a92b39524c5911db3baccf2ee44a49a22eba3e225bbb7df0214959969ec13d461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b32caff3c4996e29298b81fcaaba6465

SHA1
baccc8dca9f0ec1d32669d7e30b4ae998ae6f49d

SHA256
4a9fb976bc54730546f7a4add196cc001bd2b057dcbd4832272fb98f3a25fa54

SHA512
17adb45d8ee5a582b10ca930debcdf12120fe1ff4200eba7a188d10f2098b6d3ea1f25178b721a848f572698a00cf6b7f7c6ff2d470791fb6f08327536325715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
471fe5007652a9fbbf22ac52c2b62ad3

SHA1
4c590b85bb26796f2ab1b7f0c92b0b207a3949c5

SHA256
d4c6aa6f2a59a891edc85d367d61023646cb6a50115ac54ec2f28b739c08bcd5

SHA512
5b4aa380042c78d4cd5d76f641e407721a69c0bea146e2ae5e193c7d75620e7bda55f6960469bde59a57af983eaf0431ccbe0b191aca32d2713e66a7a44f2526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d676e86004c361e9c7f99a1174e63e27

SHA1
40d1d772ed18b87113fec9102fe3d7cfc8f83381

SHA256
1a7315be91d604dfba47a251ac1138efbc8c6ed084ba90bbf799e80b90f6231d

SHA512
5ae93b9f163fb954e819ba5af79e3a5880f6bc300048eaadb609af3219a15577a153bc93e22ad82d3e9ff3347ac0ddbe7e0c0e6d736176c793cafef143655bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a7cb8257a319beee205b40fa2c35a5e6

SHA1
b74349c7f25458a5ffedd010b200006a5f4ebffd

SHA256
d143e66cb4e27518432b13fa5caaf10eb266f20add996cfa73a1d3499e1aa467

SHA512
6aa739d6576d373ccbf34b533ec5edbe5681ab15e09ae73c7148c87b60acccd4053e987887804bda74c369475205321cd602184cbbfa46c4efeb03a17019da5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
23791e8605bd4df2ed66a6fd49bca9af

SHA1
d573c232c02db4812086225316450f25a4cc3d19

SHA256
597334ffbfbec36ac54388fca24f2840d80b67003559e09ab419a89588f9858b

SHA512
400a43e5e8d38c8727e25f2107ecaeead4432b02f6865f8160ed01eb42f180efd5c0e730cf6225f53cd00fdea93174047ace003a4cca285e6ddfc294d961e11b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a7303af7ee71542a2894ec51129da94a

SHA1
04c08d9e1b8092483d2431df451535e437e63dc9

SHA256
4d13afb83e3f4a0ca7b28e8a4791ec68536cd58cdea5e890564e82f9727e0fe5

SHA512
c4135aff9c7692a366dafa12db3432990db119c2348637bd8c7ed33b78d59af877942a24175f2a25120296ce6f3c2aa6de377a82bff86f07c6d81bcbcdcca832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f417d5f98589cf1ab35eefe95b16c4b4

SHA1
9389f3f7d10014c04a51c99afcb6a3c1faaa6712

SHA256
3b35ec7dfc8c1ac1e0a635bb10634d3c4d031c52c8c61d05ef6d95997fe7ed9b

SHA512
a5257dd5adf6dac194386bdbaed2572b1acae2e1057fc3fc36768a25a2108336410997fcd83b9e665687e737aa564d22f64db95aa79ac64925222aed6f28fafb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
43a3e2e9a081623917835516118b0e36

SHA1
acf556e8c17e74d15c8e5deb37dc01499db08be8

SHA256
4de2c67b8913e52f23eb619fc70df437d4aba75f879ff8e686d358e02beb63e1

SHA512
9e20195f7294268ba1441210481228cff735c7a03271e011031d8ba52dd699124b205a286b45f9f75426114b7f15a8651ecd811666bc911c59f7efdb479b1f7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
81ad8d10c4680a85e4f03303d6320b6f

SHA1
b32b8e651af05a90d3f9348a4ebe75dbb7f929ee

SHA256
c86d40c6d74bc1c2856ff2cde5fb431659b986e46235cec784b2f11b50f2571e

SHA512
17c2f0be9e373cd60728929426ee34d4b85e03ae2c1d1fb36081c1c471efab839ed0372b4ec3f7f5815286c201c7f91a7af3ef241dd0b6a582bc1b0eeda1f8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
888KB

MD5
ae9bb8668b8afd40c9305886c6904399

SHA1
810113c11e98789cb607b897a5f144937083d692

SHA256
f80a3287b4e3de00f4b957a0f4e05b9f0aa181268dd041e94610cdac38246718

SHA512
3ac907f4defe0d8b8c37ffee305c13d4340667e2822ff748391121f775732b1d36d73dfd41bec18032ff113a80cad18bc319a0153541af2d8969b2a5aa174623

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u2dkmzu5.viu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/436-85-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/624-44-0x0000000007830000-0x00000000078C6000-memory.dmp

Filesize
600KB

Download
memory/624-28-0x0000000006850000-0x0000000006882000-memory.dmp

Filesize
200KB

Download
memory/624-47-0x00000000077F0000-0x0000000007804000-memory.dmp

Filesize
80KB

Download
memory/624-45-0x00000000077B0000-0x00000000077C1000-memory.dmp

Filesize
68KB

Download
memory/624-48-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/624-8-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

Filesize
4KB

Download
memory/624-49-0x00000000078D0000-0x00000000078D8000-memory.dmp

Filesize
32KB

Download
memory/624-43-0x0000000007630000-0x000000000763A000-memory.dmp

Filesize
40KB

Download
memory/624-42-0x00000000075B0000-0x00000000075CA000-memory.dmp

Filesize
104KB

Download
memory/624-41-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/624-40-0x0000000007490000-0x0000000007533000-memory.dmp

Filesize
652KB

Download
memory/624-39-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/624-29-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/624-46-0x00000000077E0000-0x00000000077EE000-memory.dmp

Filesize
56KB

Download
memory/624-27-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/624-26-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/624-22-0x0000000005C80000-0x0000000005FD4000-memory.dmp

Filesize
3.3MB

Download
memory/624-52-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/624-15-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/624-9-0x00000000029C0000-0x00000000029F6000-memory.dmp

Filesize
216KB

Download
memory/624-14-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/624-13-0x0000000005B00000-0x0000000005B22000-memory.dmp

Filesize
136KB

Download
memory/624-12-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/624-11-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/624-10-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/724-1131-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/772-624-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/780-1252-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/888-495-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1004-860-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1004-858-0x00000000059E0000-0x0000000005D34000-memory.dmp

Filesize
3.3MB

Download
memory/1104-409-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1212-1171-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1240-581-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1272-238-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1308-946-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1328-1293-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1328-1285-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-64-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1460-838-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1544-774-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1712-388-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1776-516-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1812-688-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1876-560-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1912-452-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1952-323-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2016-602-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2108-817-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2220-903-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2224-473-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2332-1211-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2332-1333-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2444-259-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2836-302-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2860-367-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2868-1051-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2880-753-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2880-748-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/3060-882-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3208-431-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3216-1071-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3284-730-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3464-1151-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3484-1191-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3484-1313-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3492-108-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3492-97-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/3500-1091-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3696-645-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/3868-988-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4224-129-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4348-795-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4352-666-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4444-1272-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4448-1031-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4584-1010-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4584-1353-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4604-343-0x00000000061D0000-0x0000000006524000-memory.dmp

Filesize
3.3MB

Download
memory/4604-345-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4720-924-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4740-280-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4772-172-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4772-709-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4788-538-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4788-536-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/4820-967-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4872-192-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/4872-194-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/5020-1232-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/5020-1231-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/5020-1111-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/5032-150-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/5112-216-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/5112-214-0x00000000059F0000-0x0000000005D44000-memory.dmp

Filesize
3.3MB

Download