njrat | b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866

Analysis

max time kernel
4265100s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
14-01-2022 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
Size

8KB
MD5

7f806c97ab68106ea238c1e5bc906388
SHA1

571e34bda90b0194f6c7bc353e5c0c56a7143d38
SHA256

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866
SHA512

e1b998d4b1f3786d711bf647615787082fd907ca1c50c9731cb2eea843da85b33cc04ec1bf60b22693ced7acc392dd5c09f496b1cfcab3e2ed50c85a290d13c9

Score

10^/10

njrat furios persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Furios

gghosting221.ddns.net:6202

Mutex

5f458dd5f03f50e31781ca69de125d55

Attributes

reg_key
5f458dd5f03f50e31781ca69de125d55
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

WindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exeWindowsUser.exe

pid	process
3928	WindowsUser.exe
2032	WindowsUser.exe
2180	WindowsUser.exe
2540	WindowsUser.exe
1676	WindowsUser.exe
3600	WindowsUser.exe
4040	WindowsUser.exe
3704	WindowsUser.exe
1908	WindowsUser.exe
1524	WindowsUser.exe
916	WindowsUser.exe
1212	WindowsUser.exe
1356	WindowsUser.exe
3848	WindowsUser.exe
1184	WindowsUser.exe
4104	WindowsUser.exe
4204	WindowsUser.exe
4308	WindowsUser.exe
4412	WindowsUser.exe
4516	WindowsUser.exe
4624	WindowsUser.exe
4728	WindowsUser.exe
4816	WindowsUser.exe
4988	WindowsUser.exe
5116	WindowsUser.exe
4424	WindowsUser.exe
4696	WindowsUser.exe
4964	WindowsUser.exe
4736	WindowsUser.exe
5180	WindowsUser.exe
5272	WindowsUser.exe
5364	WindowsUser.exe
5456	WindowsUser.exe
5552	WindowsUser.exe
5660	WindowsUser.exe
5748	WindowsUser.exe
5860	WindowsUser.exe
5952	WindowsUser.exe
6056	WindowsUser.exe
4696	WindowsUser.exe
1184	WindowsUser.exe
5468	WindowsUser.exe
5828	WindowsUser.exe
1524	WindowsUser.exe
6152	WindowsUser.exe
6240	WindowsUser.exe
6332	WindowsUser.exe
6424	WindowsUser.exe
6544	WindowsUser.exe
6652	WindowsUser.exe
6744	WindowsUser.exe
6832	WindowsUser.exe
6924	WindowsUser.exe
7016	WindowsUser.exe
7108	WindowsUser.exe
1880	WindowsUser.exe
1436	WindowsUser.exe
6476	WindowsUser.exe
5180	WindowsUser.exe
6840	WindowsUser.exe
4548	WindowsUser.exe
1840	WindowsUser.exe
6848	WindowsUser.exe
6552	WindowsUser.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyTestApplication = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe"	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotification.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe

pid	process
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe

pid process

2320 b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exeMusNotification.exe

description	pid	process
Token: SeDebugPrivilege	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
Token: SeShutdownPrivilege	2920	MusNotification.exe
Token: SeCreatePagefilePrivilege	2920	MusNotification.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exeWindowsUser.exefondue.exeWindowsUser.exefondue.exeWindowsUser.exefondue.exeWindowsUser.exefondue.exeWindowsUser.exefondue.exeWindowsUser.exefondue.exeWindowsUser.exefondue.exeWindowsUser.exefondue.exe

description	pid	process	target process
PID 2320 wrote to memory of 3928	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 3928	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 3928	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 3928 wrote to memory of 3924	3928	WindowsUser.exe	fondue.exe
PID 3928 wrote to memory of 3924	3928	WindowsUser.exe	fondue.exe
PID 3928 wrote to memory of 3924	3928	WindowsUser.exe	fondue.exe
PID 3924 wrote to memory of 1876	3924	fondue.exe	FonDUE.EXE
PID 3924 wrote to memory of 1876	3924	fondue.exe	FonDUE.EXE
PID 2320 wrote to memory of 2032	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 2032	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 2032	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2032 wrote to memory of 2168	2032	WindowsUser.exe	fondue.exe
PID 2032 wrote to memory of 2168	2032	WindowsUser.exe	fondue.exe
PID 2032 wrote to memory of 2168	2032	WindowsUser.exe	fondue.exe
PID 2168 wrote to memory of 2504	2168	fondue.exe	FonDUE.EXE
PID 2168 wrote to memory of 2504	2168	fondue.exe	FonDUE.EXE
PID 2320 wrote to memory of 2180	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 2180	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 2180	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2180 wrote to memory of 1852	2180	WindowsUser.exe	fondue.exe
PID 2180 wrote to memory of 1852	2180	WindowsUser.exe	fondue.exe
PID 2180 wrote to memory of 1852	2180	WindowsUser.exe	fondue.exe
PID 1852 wrote to memory of 2584	1852	fondue.exe	FonDUE.EXE
PID 1852 wrote to memory of 2584	1852	fondue.exe	FonDUE.EXE
PID 2320 wrote to memory of 2540	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 2540	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 2540	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2540 wrote to memory of 3120	2540	WindowsUser.exe	fondue.exe
PID 2540 wrote to memory of 3120	2540	WindowsUser.exe	fondue.exe
PID 2540 wrote to memory of 3120	2540	WindowsUser.exe	fondue.exe
PID 3120 wrote to memory of 2252	3120	fondue.exe	FonDUE.EXE
PID 3120 wrote to memory of 2252	3120	fondue.exe	FonDUE.EXE
PID 2320 wrote to memory of 1676	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 1676	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 1676	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 1676 wrote to memory of 832	1676	WindowsUser.exe	fondue.exe
PID 1676 wrote to memory of 832	1676	WindowsUser.exe	fondue.exe
PID 1676 wrote to memory of 832	1676	WindowsUser.exe	fondue.exe
PID 832 wrote to memory of 3640	832	fondue.exe	FonDUE.EXE
PID 832 wrote to memory of 3640	832	fondue.exe	FonDUE.EXE
PID 2320 wrote to memory of 3600	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 3600	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 3600	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 3600 wrote to memory of 1096	3600	WindowsUser.exe	fondue.exe
PID 3600 wrote to memory of 1096	3600	WindowsUser.exe	fondue.exe
PID 3600 wrote to memory of 1096	3600	WindowsUser.exe	fondue.exe
PID 1096 wrote to memory of 3676	1096	fondue.exe	FonDUE.EXE
PID 1096 wrote to memory of 3676	1096	fondue.exe	FonDUE.EXE
PID 2320 wrote to memory of 4040	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 4040	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 4040	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 4040 wrote to memory of 3124	4040	WindowsUser.exe	fondue.exe
PID 4040 wrote to memory of 3124	4040	WindowsUser.exe	fondue.exe
PID 4040 wrote to memory of 3124	4040	WindowsUser.exe	fondue.exe
PID 3124 wrote to memory of 64	3124	fondue.exe	FonDUE.EXE
PID 3124 wrote to memory of 64	3124	fondue.exe	FonDUE.EXE
PID 2320 wrote to memory of 3704	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 3704	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 2320 wrote to memory of 3704	2320	b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe	WindowsUser.exe
PID 3704 wrote to memory of 1920	3704	WindowsUser.exe	fondue.exe
PID 3704 wrote to memory of 1920	3704	WindowsUser.exe	fondue.exe
PID 3704 wrote to memory of 1920	3704	WindowsUser.exe	fondue.exe
PID 1920 wrote to memory of 1996	1920	fondue.exe	FonDUE.EXE
PID 1920 wrote to memory of 1996	1920	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe
"C:\Users\Admin\AppData\Local\Temp\b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:1876
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2504
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2584
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2252
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3640
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3676
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:64
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:1996
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1908
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:2788
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2364
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1524
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3856
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3476
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:916
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3408
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3288
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1212
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:2932
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3592
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1356
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:2900
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:544
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:3848
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:2780
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2356
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1184
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:2624
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3472
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4104
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4128
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4164
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4204
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4228
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4268
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4308
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4332
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4368
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4412
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4436
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4472
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4516
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4540
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4584
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4624
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4644
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4688
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4728
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4748
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4780
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4816
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4836
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4872
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4988
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5008
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5044
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5116
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4120
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4316
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4424
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4428
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4536
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4696
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4824
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5084
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4964
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4900
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4444
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4736
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4976
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5140
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5180
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5200
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5236
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5272
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5292
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5328
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5364
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5380
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5416
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5456
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5476
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5508
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5552
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5572
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5608
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5660
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5680
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5712
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5748
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5768
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5808
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5860
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5880
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5916
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5952
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5972
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6008
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6056
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6076
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6112
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4696
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4964
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4816
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1184
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5196
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3664
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5468
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5568
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5664
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5828
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5876
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6064
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1524
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5544
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5868
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6152
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6172
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6204
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6240
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6260
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6292
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6332
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6352
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6388
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6424
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6444
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6496
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6544
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6564
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6600
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6652
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6672
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6708
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6744
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6764
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6796
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6832
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6852
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6888
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6924
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6944
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6980
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:7016
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7036
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7068
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:7108
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7128
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7164
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1880
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:1288
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6328
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1436
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:1336
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3252
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6476
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6556
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6668
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:5180
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5860
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6424
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6840
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4980
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5104
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:4548
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3136
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3048
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:1840
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6560
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6744
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6848
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:1856
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:676
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  PID:6552
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3636
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3132
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7180
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7196
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7232
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7268
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7284
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7316
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7352
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7368
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7404
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7440
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7456
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7488
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7524
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7540
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7572
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7612
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7628
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7660
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7704
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7720
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7756
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7792
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7808
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7844
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7880
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7896
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7932
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7968
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7984
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8016
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8052
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8068
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8104
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8140
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8156
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8188
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7188
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:1512
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3980
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:536
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7444
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7532
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7620
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3660
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5180
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7716
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3844
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7892
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4180
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5096
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:4344
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4380
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4484
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6108
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2792
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6884
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5052
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3200
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4000
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4908
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3568
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8208
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8224
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8260
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8296
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8312
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8348
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8388
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8404
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8440
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8476
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8492
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8528
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8564
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8580
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8612
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8648
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8664
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8696
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8732
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8748
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8784
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8820
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8836
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8868
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8904
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8920
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8956
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:8992
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9008
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9044
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9080
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9096
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9128
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9164
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9176
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9208
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7880
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:536
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7188
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8304
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5388
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8568
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8660
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:5776
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5820
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5892
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8996
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7484
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9168
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5376
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:5656
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7840
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3828
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:8904
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9164
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:5852
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7400
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:6360
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6396
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3584
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:6572
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6612
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6716
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9232
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9248
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9284
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9320
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9336
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9368
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9404
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9420
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9452
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9488
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9504
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9540
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9576
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9592
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9628
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9664
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9680
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9716
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9752
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9768
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9808
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9844
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9860
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9896
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:9936
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9952
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9988
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:10028
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:10044
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:10076
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:10112
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:10128
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:10160
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:10196
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:10212
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6776
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:6896
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9332
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4488
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:9496
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9584
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:6340
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4116
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9488
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:6624
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8256
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4020
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:552
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:896
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:4960
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:6052
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:3832
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:1812
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:6928
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:10036
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3084
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:1152
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8692
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:9492
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:7292
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:8952
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7412
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:7552
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:7640
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:6896
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:1304
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:776
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:1956

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
memory/64-165-0x0000000000000000-mapping.dmp

Download
memory/544-189-0x0000000000000000-mapping.dmp

Download
memory/832-156-0x0000000000000000-mapping.dmp

Download
memory/916-178-0x0000000000000000-mapping.dmp

Download
memory/1096-160-0x0000000000000000-mapping.dmp

Download
memory/1184-194-0x0000000000000000-mapping.dmp

Download
memory/1212-182-0x0000000000000000-mapping.dmp

Download
memory/1356-186-0x0000000000000000-mapping.dmp

Download
memory/1524-174-0x0000000000000000-mapping.dmp

Download
memory/1676-154-0x0000000000000000-mapping.dmp

Download
memory/1852-148-0x0000000000000000-mapping.dmp

Download
memory/1876-141-0x0000000000000000-mapping.dmp

Download
memory/1908-170-0x0000000000000000-mapping.dmp

Download
memory/1920-168-0x0000000000000000-mapping.dmp

Download
memory/1996-169-0x0000000000000000-mapping.dmp

Download
memory/2032-142-0x0000000000000000-mapping.dmp

Download
memory/2168-144-0x0000000000000000-mapping.dmp

Download
memory/2180-146-0x0000000000000000-mapping.dmp

Download
memory/2252-153-0x0000000000000000-mapping.dmp

Download
memory/2320-135-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download
memory/2320-136-0x00000000051F0000-0x0000000005794000-memory.dmp

Filesize
5.6MB

Download
memory/2320-134-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2320-133-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2356-193-0x0000000000000000-mapping.dmp

Download
memory/2364-173-0x0000000000000000-mapping.dmp

Download
memory/2504-145-0x0000000000000000-mapping.dmp

Download
memory/2540-150-0x0000000000000000-mapping.dmp

Download
memory/2584-149-0x0000000000000000-mapping.dmp

Download
memory/2624-196-0x0000000000000000-mapping.dmp

Download
memory/2780-192-0x0000000000000000-mapping.dmp

Download
memory/2788-172-0x0000000000000000-mapping.dmp

Download
memory/2900-188-0x0000000000000000-mapping.dmp

Download
memory/2932-184-0x0000000000000000-mapping.dmp

Download
memory/3120-152-0x0000000000000000-mapping.dmp

Download
memory/3124-164-0x0000000000000000-mapping.dmp

Download
memory/3288-181-0x0000000000000000-mapping.dmp

Download
memory/3408-180-0x0000000000000000-mapping.dmp

Download
memory/3472-197-0x0000000000000000-mapping.dmp

Download
memory/3476-177-0x0000000000000000-mapping.dmp

Download
memory/3592-185-0x0000000000000000-mapping.dmp

Download
memory/3600-158-0x0000000000000000-mapping.dmp

Download
memory/3640-157-0x0000000000000000-mapping.dmp

Download
memory/3676-161-0x0000000000000000-mapping.dmp

Download
memory/3704-166-0x0000000000000000-mapping.dmp

Download
memory/3848-190-0x0000000000000000-mapping.dmp

Download
memory/3856-176-0x0000000000000000-mapping.dmp

Download
memory/3924-140-0x0000000000000000-mapping.dmp

Download
memory/3928-137-0x0000000000000000-mapping.dmp

Download
memory/4040-162-0x0000000000000000-mapping.dmp

Download
memory/4104-198-0x0000000000000000-mapping.dmp

Download
memory/4128-200-0x0000000000000000-mapping.dmp

Download
memory/4164-201-0x0000000000000000-mapping.dmp

Download
memory/4204-202-0x0000000000000000-mapping.dmp

Download
memory/4228-204-0x0000000000000000-mapping.dmp

Download
memory/4268-205-0x0000000000000000-mapping.dmp

Download
memory/4308-206-0x0000000000000000-mapping.dmp

Download
memory/4332-208-0x0000000000000000-mapping.dmp

Download
memory/4368-209-0x0000000000000000-mapping.dmp

Download
memory/4412-210-0x0000000000000000-mapping.dmp

Download
memory/4436-212-0x0000000000000000-mapping.dmp

Download
memory/4472-213-0x0000000000000000-mapping.dmp

Download
memory/4516-214-0x0000000000000000-mapping.dmp

Download
memory/4540-216-0x0000000000000000-mapping.dmp

Download
memory/4584-217-0x0000000000000000-mapping.dmp

Download
memory/4624-218-0x0000000000000000-mapping.dmp

Download
memory/4644-220-0x0000000000000000-mapping.dmp

Download
memory/4688-221-0x0000000000000000-mapping.dmp

Download
memory/4728-222-0x0000000000000000-mapping.dmp

Download