quasar | cae8174d33366208ec89a8a16b349f7a78409b7f6421b24c25a1711f222f180b

Analysis

max time kernel
20s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
09-11-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VEGAS_Pro_20.0.0.exe
Size

677.8MB
MD5

3548345d694b258ecdacfb30bf01ef32
SHA1

cf958f11cd7b52f0395d9cbfc0c7c43b01d55ba8
SHA256

cae8174d33366208ec89a8a16b349f7a78409b7f6421b24c25a1711f222f180b
SHA512

bb2b5c4ef4cdc76a182506dcd44fe1f0d8b5ef81261a1463e1c835a37f6c10e2d9d6daf3381df53649fe0a66aed80aeeebb242a244a094603f168a946272f597
SSDEEP

12582912:VpwoWBS+gchR75aVsLbNWMXOpWe2ejvclvdm7Btj9En2nfwgCnXT:/c4+gGLaVKV5eVvclInfw7

Score

10^/10

quasar vegas discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Vegas

stopman.ooguy.com:1980

craftIP.gize.com:1980

Mutex

hbDAGXDpWKGDNPO4ZT

Attributes

encryption_key
oWXRR9aQDa0d3E44x2b3
install_name
Client.exe
log_directory
mincraft
reconnect_delay
5000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/9136-778-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Executes dropped EXE 8 IoCs

Processes:

Zfafq nnrcw.exeZfafq nnrcw.exeZfafq nnrcw.exeZfafq nnrcw.exeZfafq nnrcw.exeZfafq nnrcw.exeZfafq nnrcw.exeZfafq nnrcw.exe

pid	Process
3900	Zfafq nnrcw.exe
112	Zfafq nnrcw.exe
344	Zfafq nnrcw.exe
3408	Zfafq nnrcw.exe
4056	Zfafq nnrcw.exe
2280	Zfafq nnrcw.exe
4348	Zfafq nnrcw.exe
3960	Zfafq nnrcw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
6284	6828	WerFault.exe	166
868	7144	WerFault.exe	170
5700	6764	WerFault.exe	174
6472	7896	WerFault.exe	198

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeZfafq nnrcw.exepowershell.exeVEGAS_Pro_20.0.0.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeZfafq nnrcw.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exepowershell.exepowershell.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exepowershell.exepowershell.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exeZfafq nnrcw.exeZfafq nnrcw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfafq nnrcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VEGAS_Pro_20.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfafq nnrcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VEGAS_Pro_20.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VEGAS_Pro_20.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfafq nnrcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfafq nnrcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VEGAS_Pro_20.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VEGAS_Pro_20.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfafq nnrcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VEGAS_Pro_20.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VEGAS_Pro_20.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfafq nnrcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VEGAS_Pro_20.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfafq nnrcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfafq nnrcw.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
5108	powershell.exe
5108	powershell.exe
2580	powershell.exe
1676	powershell.exe
2580	powershell.exe
1676	powershell.exe
1912	powershell.exe
3388	powershell.exe
3388	powershell.exe
1912	powershell.exe
1912	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

VEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exe

pid	Process
4268	VEGAS_Pro_20.0.0.exe
4268	VEGAS_Pro_20.0.0.exe
4268	VEGAS_Pro_20.0.0.exe
4268	VEGAS_Pro_20.0.0.exe
4268	VEGAS_Pro_20.0.0.exe
1652	VEGAS_Pro_20.0.0.exe
1652	VEGAS_Pro_20.0.0.exe
1652	VEGAS_Pro_20.0.0.exe
1652	VEGAS_Pro_20.0.0.exe
2416	VEGAS_Pro_20.0.0.exe
2416	VEGAS_Pro_20.0.0.exe
2416	VEGAS_Pro_20.0.0.exe
4088	VEGAS_Pro_20.0.0.exe
4088	VEGAS_Pro_20.0.0.exe
4088	VEGAS_Pro_20.0.0.exe
3036	VEGAS_Pro_20.0.0.exe
3036	VEGAS_Pro_20.0.0.exe
3036	VEGAS_Pro_20.0.0.exe
400	VEGAS_Pro_20.0.0.exe
400	VEGAS_Pro_20.0.0.exe
400	VEGAS_Pro_20.0.0.exe
2964	VEGAS_Pro_20.0.0.exe
2964	VEGAS_Pro_20.0.0.exe
2964	VEGAS_Pro_20.0.0.exe
4476	VEGAS_Pro_20.0.0.exe
4476	VEGAS_Pro_20.0.0.exe
4476	VEGAS_Pro_20.0.0.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

VEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exe

pid	Process
4268	VEGAS_Pro_20.0.0.exe
4268	VEGAS_Pro_20.0.0.exe
4268	VEGAS_Pro_20.0.0.exe
4268	VEGAS_Pro_20.0.0.exe
4268	VEGAS_Pro_20.0.0.exe
1652	VEGAS_Pro_20.0.0.exe
1652	VEGAS_Pro_20.0.0.exe
1652	VEGAS_Pro_20.0.0.exe
1652	VEGAS_Pro_20.0.0.exe
2416	VEGAS_Pro_20.0.0.exe
2416	VEGAS_Pro_20.0.0.exe
2416	VEGAS_Pro_20.0.0.exe
4088	VEGAS_Pro_20.0.0.exe
4088	VEGAS_Pro_20.0.0.exe
4088	VEGAS_Pro_20.0.0.exe
3036	VEGAS_Pro_20.0.0.exe
3036	VEGAS_Pro_20.0.0.exe
3036	VEGAS_Pro_20.0.0.exe
400	VEGAS_Pro_20.0.0.exe
400	VEGAS_Pro_20.0.0.exe
400	VEGAS_Pro_20.0.0.exe
2964	VEGAS_Pro_20.0.0.exe
2964	VEGAS_Pro_20.0.0.exe
2964	VEGAS_Pro_20.0.0.exe
4476	VEGAS_Pro_20.0.0.exe
4476	VEGAS_Pro_20.0.0.exe
4476	VEGAS_Pro_20.0.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exeZfafq nnrcw.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exeVEGAS_Pro_20.0.0.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exeZfafq nnrcw.exeVEGAS_Pro_20.0.0.exe

description	pid	Process	procid_target
PID 4268 wrote to memory of 3900	4268	VEGAS_Pro_20.0.0.exe	80
PID 4268 wrote to memory of 3900	4268	VEGAS_Pro_20.0.0.exe	80
PID 4268 wrote to memory of 3900	4268	VEGAS_Pro_20.0.0.exe	80
PID 4268 wrote to memory of 1652	4268	VEGAS_Pro_20.0.0.exe	81
PID 4268 wrote to memory of 1652	4268	VEGAS_Pro_20.0.0.exe	81
PID 4268 wrote to memory of 1652	4268	VEGAS_Pro_20.0.0.exe	81
PID 1652 wrote to memory of 112	1652	VEGAS_Pro_20.0.0.exe	82
PID 1652 wrote to memory of 112	1652	VEGAS_Pro_20.0.0.exe	82
PID 1652 wrote to memory of 112	1652	VEGAS_Pro_20.0.0.exe	82
PID 1652 wrote to memory of 2416	1652	VEGAS_Pro_20.0.0.exe	83
PID 1652 wrote to memory of 2416	1652	VEGAS_Pro_20.0.0.exe	83
PID 1652 wrote to memory of 2416	1652	VEGAS_Pro_20.0.0.exe	83
PID 3900 wrote to memory of 5108	3900	Zfafq nnrcw.exe	84
PID 3900 wrote to memory of 5108	3900	Zfafq nnrcw.exe	84
PID 3900 wrote to memory of 5108	3900	Zfafq nnrcw.exe	84
PID 2416 wrote to memory of 344	2416	VEGAS_Pro_20.0.0.exe	86
PID 2416 wrote to memory of 344	2416	VEGAS_Pro_20.0.0.exe	86
PID 2416 wrote to memory of 344	2416	VEGAS_Pro_20.0.0.exe	86
PID 2416 wrote to memory of 4088	2416	VEGAS_Pro_20.0.0.exe	87
PID 2416 wrote to memory of 4088	2416	VEGAS_Pro_20.0.0.exe	87
PID 2416 wrote to memory of 4088	2416	VEGAS_Pro_20.0.0.exe	87
PID 112 wrote to memory of 2580	112	Zfafq nnrcw.exe	88
PID 112 wrote to memory of 2580	112	Zfafq nnrcw.exe	88
PID 112 wrote to memory of 2580	112	Zfafq nnrcw.exe	88
PID 344 wrote to memory of 1676	344	Zfafq nnrcw.exe	90
PID 344 wrote to memory of 1676	344	Zfafq nnrcw.exe	90
PID 344 wrote to memory of 1676	344	Zfafq nnrcw.exe	90
PID 4088 wrote to memory of 3408	4088	VEGAS_Pro_20.0.0.exe	91
PID 4088 wrote to memory of 3408	4088	VEGAS_Pro_20.0.0.exe	91
PID 4088 wrote to memory of 3408	4088	VEGAS_Pro_20.0.0.exe	91
PID 4088 wrote to memory of 3036	4088	VEGAS_Pro_20.0.0.exe	93
PID 4088 wrote to memory of 3036	4088	VEGAS_Pro_20.0.0.exe	93
PID 4088 wrote to memory of 3036	4088	VEGAS_Pro_20.0.0.exe	93
PID 3036 wrote to memory of 4056	3036	VEGAS_Pro_20.0.0.exe	94
PID 3036 wrote to memory of 4056	3036	VEGAS_Pro_20.0.0.exe	94
PID 3036 wrote to memory of 4056	3036	VEGAS_Pro_20.0.0.exe	94
PID 3036 wrote to memory of 400	3036	VEGAS_Pro_20.0.0.exe	126
PID 3036 wrote to memory of 400	3036	VEGAS_Pro_20.0.0.exe	126
PID 3036 wrote to memory of 400	3036	VEGAS_Pro_20.0.0.exe	126
PID 3408 wrote to memory of 1912	3408	Zfafq nnrcw.exe	96
PID 3408 wrote to memory of 1912	3408	Zfafq nnrcw.exe	96
PID 3408 wrote to memory of 1912	3408	Zfafq nnrcw.exe	96
PID 400 wrote to memory of 2280	400	VEGAS_Pro_20.0.0.exe	98
PID 400 wrote to memory of 2280	400	VEGAS_Pro_20.0.0.exe	98
PID 400 wrote to memory of 2280	400	VEGAS_Pro_20.0.0.exe	98
PID 400 wrote to memory of 2964	400	VEGAS_Pro_20.0.0.exe	99
PID 400 wrote to memory of 2964	400	VEGAS_Pro_20.0.0.exe	99
PID 400 wrote to memory of 2964	400	VEGAS_Pro_20.0.0.exe	99
PID 4056 wrote to memory of 3388	4056	Zfafq nnrcw.exe	100
PID 4056 wrote to memory of 3388	4056	Zfafq nnrcw.exe	100
PID 4056 wrote to memory of 3388	4056	Zfafq nnrcw.exe	100
PID 2964 wrote to memory of 4348	2964	VEGAS_Pro_20.0.0.exe	102
PID 2964 wrote to memory of 4348	2964	VEGAS_Pro_20.0.0.exe	102
PID 2964 wrote to memory of 4348	2964	VEGAS_Pro_20.0.0.exe	102
PID 2964 wrote to memory of 4476	2964	VEGAS_Pro_20.0.0.exe	103
PID 2964 wrote to memory of 4476	2964	VEGAS_Pro_20.0.0.exe	103
PID 2964 wrote to memory of 4476	2964	VEGAS_Pro_20.0.0.exe	103
PID 2280 wrote to memory of 128	2280	Zfafq nnrcw.exe	104
PID 2280 wrote to memory of 128	2280	Zfafq nnrcw.exe	104
PID 2280 wrote to memory of 128	2280	Zfafq nnrcw.exe	104
PID 4476 wrote to memory of 3960	4476	VEGAS_Pro_20.0.0.exe	106
PID 4476 wrote to memory of 3960	4476	VEGAS_Pro_20.0.0.exe	106
PID 4476 wrote to memory of 3960	4476	VEGAS_Pro_20.0.0.exe	106
PID 4476 wrote to memory of 3156	4476	VEGAS_Pro_20.0.0.exe	107

C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
  "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
    3⤵
    PID:9044
- - C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
    "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
    3⤵
    PID:6040
- C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
  C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
    "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
      4⤵
      PID:8440
  - - C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
      "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
      4⤵
      PID:9136
- - C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
    C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
      "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:344
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        5⤵
        
        PID:8772
    - - C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        5⤵
        
        PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
      C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3408
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        6⤵
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        6⤵
        
        PID:6956
    - - C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        7⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        7⤵
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        8⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        8⤵
        
        PID:9188
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        9⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        9⤵
        
        PID:9324
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        9⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        9⤵
        
        PID:9572
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        9⤵
        
        PID:10024
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        9⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        10⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        10⤵
        
        PID:9544
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        10⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        9⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        10⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        11⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        11⤵
        
        PID:9884
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe"
        11⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        10⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        11⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        12⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        12⤵
        
        PID:10128
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        11⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        12⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        13⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        13⤵
        
        PID:9260
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        12⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        13⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        14⤵
        
        PID:988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        14⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        13⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        14⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        15⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        15⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        14⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        15⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        16⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        16⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        15⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        16⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        17⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        17⤵
        
        PID:9336
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        16⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        17⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        18⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        18⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        17⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        18⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        19⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        19⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        18⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        19⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        20⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        20⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        19⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        20⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        21⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        21⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        20⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        21⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        22⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        22⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        21⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        22⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        23⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        23⤵
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        22⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        23⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        24⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        24⤵
        
        PID:10088
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        23⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        24⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        25⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 1452
        25⤵
        Program crash
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        24⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        25⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        26⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 912
        26⤵
        Program crash
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        25⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        26⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        27⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 904
        27⤵
        Program crash
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        26⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        27⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        28⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        28⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        27⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        28⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        29⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        29⤵
        
        PID:10136
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        28⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        29⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        30⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        30⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        29⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        30⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        31⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        31⤵
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        30⤵
        
        PID:7400
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        31⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        32⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        32⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        31⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        32⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        33⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7896 -s 1128
        33⤵
        Program crash
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        32⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        33⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        34⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        34⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        33⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        34⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        35⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        35⤵
        
        PID:9408
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        34⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        35⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        36⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        36⤵
        
        PID:9440
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        35⤵
        
        PID:8004
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        36⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        37⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        37⤵
        
        PID:10076
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        36⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        37⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        38⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        37⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        38⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        39⤵
        
        PID:8376
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        38⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        39⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        40⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        39⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        40⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        41⤵
        
        PID:8900
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        40⤵
        
        PID:8616
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        41⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        42⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        41⤵
        
        PID:8860
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        42⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        43⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        42⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        43⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        44⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        43⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        44⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        45⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        44⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        45⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        46⤵
        
        PID:9308
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        45⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        46⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        47⤵
        
        PID:9616
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        46⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        47⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        48⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        47⤵
        
        PID:9700
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        48⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        49⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        48⤵
        
        PID:10216
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        49⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        50⤵
        
        PID:10216
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        49⤵
        
        PID:9832
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        50⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        51⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        50⤵
        
        PID:8116
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        51⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        52⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        51⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        52⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        53⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        52⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        53⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        54⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        53⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        54⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        55⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        54⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        55⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        56⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        55⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        56⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        57⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        56⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\Zfafq nnrcw.exe
        
        "C:\Users\Admin\AppData\Local\Temp/Zfafq nnrcw.exe"
        57⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.exe
        
        C:\Users\Admin\AppData\Local\Temp/VEGAS_Pro_20.0.0.exe
        57⤵
        
        PID:6756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6828 -ip 6828
1⤵
PID:7040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7144 -ip 7144
1⤵
PID:6880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6764 -ip 6764
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7896 -ip 7896
1⤵
PID:6376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
c0636f2d138baca01dbb2eedb99bf3d5

SHA1
3b927899db0f3e2cb510782592887dc02fc3e400

SHA256
10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a

SHA512
0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
0a9da256ffcfe42119c7a351e5eaaa9c

SHA1
c992b8e18cfc24faee739511beb5094189806177

SHA256
f4750e5af8c84626318382887c9c17e6555eff006af7d7e88cadd562ab2ee8ed

SHA512
451f4d470fe938a7c71d340f0711a9d1cb98f542138bd95584244471fa5f31beba8274699be1e497742ce91182dc9e308ca2d9ce3d004174a8228cca4c118672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
13388f066f8e622ff51d60bf5e8008a4

SHA1
ff687bcf5064af0bf47d257bff112521c7061aba

SHA256
604d3ade6b5240b8d000d55e1ee64ab2758cd918c6f911bdd346e8b4200d443d

SHA512
9961032ed399b5ea561bd9c2431b1ad9584019dad339f5d9311f3583f194784c85ee4471508aee2efdfa0c8e0c67eae997cbfa8985f235bcce8c3cf6c1f70332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
f1bc18b226bfec6fb5c0717ebd4e5139

SHA1
98bc3d8aa71263d3cca5106812566cd45dcf852c

SHA256
88486d1f3d9de339979b098a1098a7a5e00671ced6fa1fdb0a8ec0d3fc508a88

SHA512
87e6626f3e3e8557fd27c8d9695c362977900badae8c8beb04dc2dbf6019770a089ae99e059bfbdfa9fda0a2a33d88bc33310665fe8ea1f45af883218d90b979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3209821614bda72cdca7d71092f9c748

SHA1
d259f75638d6b50b156c833f8a62f4b70faecb8c

SHA256
21f3e9941ed3397ddf5adba1fc34ef340d78a073172ef5fa006744f93285e921

SHA512
d7299adc0822496f58ecadaf8b00cf37af80d83ccf45001dc3ce2796a4dd45f5d5d91e80e4be89d44815d8db43aed7d975b8476c204f6bb44de49c28943fe7ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
26d53b573c905d2ec5878331fabed9c3

SHA1
0929289d5da2c1b09a876376651333528b03831d

SHA256
cb2cc9196413e3523aac9792ae7974555b705275e88048166089d16f11d9c989

SHA512
f2c09a98237fb924aa485567e9e36ce03b3b6fc2cf65e77c0f7dd24845749d5897c54e86304056140d2b3806417827cb5b1531ffc4f2f02748cb5fc33ea13789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d6d2e6943d1347c30e946a9c5977a135

SHA1
2c91306e40bdc76a1ba7fc280d7ddee4b927d244

SHA256
f67b7b120a7254504740a6fba38857330b781a4e55016c1c10cb8f1c109ced67

SHA512
5f744299201cc5d880ce576fd93eb02217a3a977bcfddca66b313b333f34c0325a91f1e5ebd74e48ddc0c1af1f8a81955170d5f6b02e94329ce71c01e0d226e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
9edb40ea8f186fbf1ded9ed77c90cdc6

SHA1
51c701938d526b4c6a9aaa78e44d8705ab53ed4b

SHA256
6c6c73f77c34fd64c3737d8a3d6a0b30ca87143e2fced69a10f74df92baf4c27

SHA512
0f21cfa54959b5f5379bd816a8c5050c9662d0ed75350cf63677d170d811dc5ee9879711eab2718b1c629d593464475b0f2e9c22fa7acfd4a63bfe91ecef83af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
97261b5f2ee0908d8b363dd63ad77936

SHA1
25aab1d4f1f42dffcf91378c9c737b66cf6b51a9

SHA256
ccf8b4ed096c3a166f42762fe7ac2d21ac71465a737782e2dd8019e3704bb347

SHA512
c9cc73249b11df61df5e503f44dd3c20090092a54a00c4df9f3c237cfc993e07a019fc4ce48cccaa13cbfb8a4b1a6718a9d6a21590641d17d0751e625eea0d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rc3l4o5r.w0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/112-758-0x000000000D040000-0x000000000D5E6000-memory.dmp

Filesize
5.6MB

Download
memory/112-757-0x000000000BF60000-0x000000000BFF2000-memory.dmp

Filesize
584KB

Download
memory/232-844-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/1316-866-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/2416-820-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/3132-857-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/3704-661-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/3900-11-0x000000000C7E0000-0x000000000C898000-memory.dmp

Filesize
736KB

Download
memory/3900-14-0x000000000B910000-0x000000000BC67000-memory.dmp

Filesize
3.3MB

Download
memory/3900-13-0x000000000B8E0000-0x000000000B902000-memory.dmp

Filesize
136KB

Download
memory/3900-12-0x000000000B850000-0x000000000B8E2000-memory.dmp

Filesize
584KB

Download
memory/3900-10-0x0000000000840000-0x0000000001840000-memory.dmp

Filesize
16.0MB

Download
memory/4968-635-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/5108-38-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/5108-19-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/5108-17-0x0000000005B60000-0x000000000618A000-memory.dmp

Filesize
6.2MB

Download
memory/5108-16-0x0000000003230000-0x0000000003266000-memory.dmp

Filesize
216KB

Download
memory/5108-20-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/5108-50-0x0000000006C20000-0x0000000006C3A000-memory.dmp

Filesize
104KB

Download
memory/5108-49-0x0000000007D10000-0x000000000838A000-memory.dmp

Filesize
6.5MB

Download
memory/5108-39-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/8440-561-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/8580-671-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/8772-598-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/9044-558-0x0000000006B60000-0x0000000006B6A000-memory.dmp

Filesize
40KB

Download
memory/9044-549-0x0000000006DE0000-0x0000000006E84000-memory.dmp

Filesize
656KB

Download
memory/9044-652-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/9044-607-0x00000000070B0000-0x00000000070C5000-memory.dmp

Filesize
84KB

Download
memory/9044-597-0x00000000070A0000-0x00000000070AE000-memory.dmp

Filesize
56KB

Download
memory/9044-538-0x0000000006B80000-0x0000000006BB4000-memory.dmp

Filesize
208KB

Download
memory/9044-539-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/9044-548-0x0000000006B40000-0x0000000006B5E000-memory.dmp

Filesize
120KB

Download
memory/9044-583-0x0000000007060000-0x0000000007071000-memory.dmp

Filesize
68KB

Download
memory/9044-560-0x0000000007100000-0x0000000007196000-memory.dmp

Filesize
600KB

Download
memory/9044-624-0x00000000071A0000-0x00000000071BA000-memory.dmp

Filesize
104KB

Download
memory/9136-778-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/9136-876-0x000000000C2A0000-0x000000000C2B2000-memory.dmp

Filesize
72KB

Download
memory/9136-906-0x000000000CA50000-0x000000000CA8C000-memory.dmp

Filesize
240KB

Download
memory/9136-917-0x000000000CDD0000-0x000000000CDDA000-memory.dmp

Filesize
40KB

Download
memory/9260-829-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/9324-728-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/9544-700-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/9884-737-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/10128-800-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download