Malware Analysis Report

2025-01-02 06:52

Sample ID 220504-1pvsmshdgr
Target 7418326158.zip
SHA256 469b2a19deab693e53b7ea3d2c26833067fe6be1b9493505091fd9f586c54fb0
Tags
onlylogger redline smokeloader socelars vidar 706 jamesbig aspackv2 backdoor evasion infostealer loader spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

469b2a19deab693e53b7ea3d2c26833067fe6be1b9493505091fd9f586c54fb0

Threat Level: Known bad

The file 7418326158.zip was found to be: Known bad.

Malicious Activity Summary

onlylogger redline smokeloader socelars vidar 706 jamesbig aspackv2 backdoor evasion infostealer loader spyware stealer suricata trojan

RedLine

Socelars

OnlyLogger

SmokeLoader

Vidar

Socelars Payload

Modifies Windows Defender Real-time Protection settings

RedLine Payload

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

OnlyLogger Payload

Vidar Stealer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Checks SCSI registry key(s)

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-04 21:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-04 21:49

Reported

2022-05-04 21:54

Platform

win10-20220414-en

Max time kernel

270s

Max time network

270s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

OnlyLogger

loader onlylogger

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

suricata

OnlyLogger Payload

Description Indicator Process Target
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat096d657bea7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Looks up geolocation information via web service

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\810424605.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53 C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09c148600d822e438.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f1ff9181e817b86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe
PID 3096 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe
PID 3096 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe
PID 2972 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09ac626c3b.exe
PID 5116 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09ac626c3b.exe
PID 5116 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09ac626c3b.exe
PID 2972 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe
PID 4268 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe
PID 4268 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe
PID 2972 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4768 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f1ff9181e817b86.exe
PID 4768 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f1ff9181e817b86.exe
PID 2772 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09519161cb25021.exe
PID 2772 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09519161cb25021.exe
PID 2772 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09519161cb25021.exe
PID 4816 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat096d657bea7.exe
PID 4816 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat096d657bea7.exe
PID 4816 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat096d657bea7.exe
PID 1472 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f2a9604ddb0ce.exe
PID 1472 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f2a9604ddb0ce.exe
PID 1472 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f2a9604ddb0ce.exe
PID 3024 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat091ac9063af7.exe
PID 3024 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat091ac9063af7.exe
PID 428 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe C:\Users\Admin\AppData\Local\Temp\is-EJ1OG.tmp\Sat0902ab982e32902.tmp
PID 428 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe C:\Users\Admin\AppData\Local\Temp\is-EJ1OG.tmp\Sat0902ab982e32902.tmp
PID 428 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe C:\Users\Admin\AppData\Local\Temp\is-EJ1OG.tmp\Sat0902ab982e32902.tmp
PID 1296 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09c148600d822e438.exe
PID 1296 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09c148600d822e438.exe
PID 2080 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe

"C:\Users\Admin\AppData\Local\Temp\1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15.exe"

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09f1ff9181e817b86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat096d657bea7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat091ac9063af7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09ac626c3b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat0902ab982e32902.exe

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09ac626c3b.exe

Sat09ac626c3b.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09fad3e269114b07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09519161cb25021.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09c148600d822e438.exe

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe

Sat0902ab982e32902.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09b5258b63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat09f2a9604ddb0ce.exe

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f1ff9181e817b86.exe

Sat09f1ff9181e817b86.exe

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09519161cb25021.exe

Sat09519161cb25021.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat096d657bea7.exe

Sat096d657bea7.exe

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f2a9604ddb0ce.exe

Sat09f2a9604ddb0ce.exe

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat091ac9063af7.exe

Sat091ac9063af7.exe

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09c148600d822e438.exe

Sat09c148600d822e438.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 472

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe

Sat09b5258b63.exe

C:\Users\Admin\AppData\Local\Temp\is-EJ1OG.tmp\Sat0902ab982e32902.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EJ1OG.tmp\Sat0902ab982e32902.tmp" /SL5="$6004E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe"

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe

Sat09fad3e269114b07.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 928

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Users\Admin\Pictures\Adobe Films\tLx8LPKsVcx6ROGQHOAthLrV.exe

"C:\Users\Admin\Pictures\Adobe Films\tLx8LPKsVcx6ROGQHOAthLrV.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hsiens.xyz udp
NL 45.133.1.182:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 safialinks.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
US 199.59.243.200:443 www.listincode.com tcp
US 8.8.8.8:53 best-link-app.com udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
N/A 127.0.0.1:49748 tcp
N/A 127.0.0.1:49750 tcp
US 8.8.8.8:53 x2.i.lencr.org udp
NL 23.2.164.159:80 x2.i.lencr.org tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.2.164.159:80 x2.c.lencr.org tcp
US 8.8.8.8:53 e1.o.lencr.org udp
NL 104.110.191.174:80 e1.o.lencr.org tcp
US 8.8.8.8:53 mas.to udp
DE 88.99.75.82:443 mas.to tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 cleaner-partners.ltd udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.iyiqian.com udp
US 43.130.65.190:80 www.iyiqian.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cleaner-partners.ltd udp
RU 194.145.227.161:80 194.145.227.161 tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
NL 45.133.1.107:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 govsurplusstore.com udp
US 8.8.8.8:53 best-forsale.com udp
US 8.8.8.8:53 chmxnautoparts.com udp
US 8.8.8.8:53 kwazone.com udp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 45.144.225.57:80 45.144.225.57 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 194.145.227.161 tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 onepremiumstore.bar udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
BE 35.205.61.67:443 premium-s0ftwar3875.bar tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 194.145.227.161 tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
RU 194.145.227.161:80 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 194.145.227.161 tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
FI 65.108.20.195:6774 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
FI 65.108.20.195:6774 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

memory/2972-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\setup_install.exe

MD5 d2239d3a25f407500c2361f15e5e8c16
SHA1 33f770c7625323f52e2e2b20c112a67c14ead346
SHA256 31031b7a03407df072e1e553d5b2a8dabdb2463de7c5818c1f710ab4cc3a0f23
SHA512 ae507fc49a50d2766ad4ef2dd08605652e385ed681f1ce59b417e8bd493df1de3b1acda75bdbe8c6f46b292ecd1a6e56906f47a88c36708b1de5c8ecf2cacd11

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS81CE7276\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS81CE7276\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS81CE7276\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS81CE7276\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS81CE7276\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS81CE7276\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2972-128-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2972-129-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2972-130-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2972-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2972-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2972-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2972-131-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2972-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4792-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f1ff9181e817b86.exe

MD5 67f7840ff079c52e311eca9580366cd1
SHA1 738525b29615c29801ecb22ba5007e7b83c2b2d4
SHA256 0898bf93856be4b31058da24084d84a0a944f333f06e05f83c40b668bb96d127
SHA512 fd97b08862aa4667639c5722f3f39f9e8079ac180447e65fc019efccced51a3a75781918a6b47c3d246bca3671618314814260a4dcdcc3d00c64f576a46f13d1

memory/4768-137-0x0000000000000000-mapping.dmp

memory/4816-139-0x0000000000000000-mapping.dmp

memory/3024-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

memory/5116-143-0x0000000000000000-mapping.dmp

memory/1472-147-0x0000000000000000-mapping.dmp

memory/2080-150-0x0000000000000000-mapping.dmp

memory/428-151-0x0000000000000000-mapping.dmp

memory/1296-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

memory/1612-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat0902ab982e32902.exe

MD5 210ee72ee101eca4bcbc50f9e450b1c2
SHA1 efea2cd59008a311027705bf5bd6a72da17ee843
SHA256 ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669
SHA512 8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

memory/4268-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09ac626c3b.exe

MD5 afd579297cd579c417adbd604e5f6478
SHA1 ddcc76ddd8c41c93b7826338662e29e09465baa4
SHA256 64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c
SHA512 f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat091ac9063af7.exe

MD5 535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1 cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256 d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA512 6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

memory/2840-162-0x0000000000000000-mapping.dmp

memory/4284-161-0x0000000000000000-mapping.dmp

memory/428-158-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

memory/3280-163-0x0000000000000000-mapping.dmp

memory/3764-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09519161cb25021.exe

MD5 71d5b0cc31391922fc05e15293ecc772
SHA1 4057b118de7e9c58b71a43730af4ae2a4e7cc634
SHA256 3861370b4a6e7a5a84759a14a851c15714757115d9f689e65a93d9285b356995
SHA512 2a6a75e1cf2222fa8f3554ba16a3cb6bef4b4db0a31c0f17bb19580064ce318956ac58d6d44e06e60b45009935edf7597e69f500ef581bfe0f44c9929b602cf2

memory/2772-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09c148600d822e438.exe

MD5 aae5a96fdb4dacba841f37cd6bd287e9
SHA1 ea00eeac88b11452e092b9f3cc1e5833a8d83045
SHA256 a64a3914b2b41dc192b1d792e6dc4c6dbae56d106f0940f3f7a49c5f4b00c56e
SHA512 d9846063a78b8e90bd5d42fc907b3410414eb2df7fc47a57a8467d7d8bb51307cd3a492dee7e3d735e7841829751dd4309ffa44651a098cdb7d4fb051ed7712c

memory/4284-179-0x0000000005220000-0x0000000005256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat091ac9063af7.exe

MD5 535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1 cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256 d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA512 6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

memory/4400-178-0x0000000000000000-mapping.dmp

memory/2900-177-0x0000000000000000-mapping.dmp

memory/4392-176-0x0000000000629000-0x00000000006A5000-memory.dmp

memory/4748-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f2a9604ddb0ce.exe

MD5 5a2353aae7d8538d5ed0ee486330d396
SHA1 9246c223f1a4091197c6afa4c48097480ac8ff34
SHA256 d2c456164b7e39ed8c3132d7d38ed88d91cfaceb7ec111cffaef48b8ef03c288
SHA512 f4df8c52af12369bab744a5c30ab95b236396b24437fcd065efaeb5b623f1c5d2b783fc10923c3b39ef0105fb6a4e352239707305f71676aa023160603c7e964

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat096d657bea7.exe

MD5 2fa10132cfbce32a5ac7ee72c3587e8b
SHA1 30d26416cd5eef5ef56d9790aacc1272c7fba9ab
SHA256 cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
SHA512 4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

memory/4392-170-0x0000000000000000-mapping.dmp

memory/2840-169-0x0000000000420000-0x0000000000450000-memory.dmp

memory/4416-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09519161cb25021.exe

MD5 71d5b0cc31391922fc05e15293ecc772
SHA1 4057b118de7e9c58b71a43730af4ae2a4e7cc634
SHA256 3861370b4a6e7a5a84759a14a851c15714757115d9f689e65a93d9285b356995
SHA512 2a6a75e1cf2222fa8f3554ba16a3cb6bef4b4db0a31c0f17bb19580064ce318956ac58d6d44e06e60b45009935edf7597e69f500ef581bfe0f44c9929b602cf2

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09f1ff9181e817b86.exe

MD5 67f7840ff079c52e311eca9580366cd1
SHA1 738525b29615c29801ecb22ba5007e7b83c2b2d4
SHA256 0898bf93856be4b31058da24084d84a0a944f333f06e05f83c40b668bb96d127
SHA512 fd97b08862aa4667639c5722f3f39f9e8079ac180447e65fc019efccced51a3a75781918a6b47c3d246bca3671618314814260a4dcdcc3d00c64f576a46f13d1

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09b5258b63.exe

MD5 10e384c9b18deb8bd24531d6e88d3a1b
SHA1 55a8924419e58828645a41f4135b6bf3c7f33b70
SHA256 207a0bebf93a483cf8df67d5dcd7414ebaca95a1509e051ab685d55413e7d89b
SHA512 519b6fa3413828895353d7d2714a2835b37ca5d0d861cfd8c56e8f0409d8fac8e156f7ec4653af26805f732547718a6e16dae909c7a734ff5e775091b24e414c

memory/3736-188-0x0000000000000000-mapping.dmp

memory/4284-187-0x0000000007A40000-0x0000000008068000-memory.dmp

memory/4400-185-0x00000000009C0000-0x00000000009C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09fad3e269114b07.exe

MD5 05df98ef620b4a298719148c502388bd
SHA1 1d909bd5f9d976654ab42360f4aba4b232d1575a
SHA256 bd0dbf1d4573f97acaeb4c9faacb7af147b9b75201b86e44f4a0cd429fa65be4
SHA512 db20bdae1a21b231c754d6a16045c7a85051d8999d1f73790a34784cbf06ba2efec310129acca8fac607b2111178d06143e7e920c5bb859750ef504d1e8b7f0b

C:\Users\Admin\AppData\Local\Temp\7zS81CE7276\Sat09c148600d822e438.exe

MD5 aae5a96fdb4dacba841f37cd6bd287e9
SHA1 ea00eeac88b11452e092b9f3cc1e5833a8d83045
SHA256 a64a3914b2b41dc192b1d792e6dc4c6dbae56d106f0940f3f7a49c5f4b00c56e
SHA512 d9846063a78b8e90bd5d42fc907b3410414eb2df7fc47a57a8467d7d8bb51307cd3a492dee7e3d735e7841829751dd4309ffa44651a098cdb7d4fb051ed7712c

memory/3320-183-0x0000000000000000-mapping.dmp

memory/2840-182-0x0000000000860000-0x0000000000866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EJ1OG.tmp\Sat0902ab982e32902.tmp

MD5 6020849fbca45bc0c69d4d4a0f4b62e7
SHA1 5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9
SHA256 c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98
SHA512 f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

\Users\Admin\AppData\Local\Temp\is-B497V.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4284-192-0x0000000007950000-0x0000000007972000-memory.dmp

memory/4284-193-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4284-194-0x0000000008320000-0x0000000008386000-memory.dmp

memory/4284-195-0x0000000008390000-0x00000000086E0000-memory.dmp

memory/428-196-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1612-197-0x0000000002220000-0x0000000002246000-memory.dmp

memory/4284-199-0x0000000008250000-0x000000000829B000-memory.dmp

memory/1612-200-0x0000000004B00000-0x0000000004FFE000-memory.dmp

memory/4284-198-0x0000000008120000-0x000000000813C000-memory.dmp

memory/1612-201-0x00000000023E0000-0x0000000002404000-memory.dmp

memory/1612-202-0x0000000005000000-0x0000000005606000-memory.dmp

memory/1612-203-0x0000000002560000-0x0000000002572000-memory.dmp

memory/1612-204-0x0000000005610000-0x000000000571A000-memory.dmp

memory/4284-205-0x0000000008A50000-0x0000000008AC6000-memory.dmp

memory/1612-206-0x0000000005720000-0x000000000575E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 6c7178ddc75996f8bfa907b376e0abee
SHA1 a78820cc06e792f0f59883758a5396d01592a634
SHA256 d4ac6d7165fb988b95df04ec16c7d98db6df0b60a6f748d0492cf8b6865b058d
SHA512 08fd971087c1af6a068bb356f986bab9a824b3c53991f0d3ae84f31153cb5e2c42d76e67aa14c4752cb88f6a2370c4e6ceb473b681ee3e6d6cb86c666795e9c0

memory/864-214-0x0000000000000000-mapping.dmp

memory/1860-218-0x0000000000000000-mapping.dmp

memory/4284-219-0x0000000009AE0000-0x0000000009B13000-memory.dmp

memory/4284-220-0x0000000009AA0000-0x0000000009ABE000-memory.dmp

memory/4284-225-0x0000000009C10000-0x0000000009CB5000-memory.dmp

memory/4284-226-0x0000000009DD0000-0x0000000009E64000-memory.dmp

memory/3736-345-0x0000000001F80000-0x0000000001F89000-memory.dmp

memory/3736-348-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/4284-421-0x0000000009D70000-0x0000000009D8A000-memory.dmp

memory/4284-426-0x0000000009D60000-0x0000000009D68000-memory.dmp

memory/5104-452-0x0000000000000000-mapping.dmp

memory/3796-453-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\tLx8LPKsVcx6ROGQHOAthLrV.exe

MD5 3f22bd82ee1b38f439e6354c60126d6d
SHA1 63b57d818f86ea64ebc8566faeb0c977839defde
SHA256 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512 b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

C:\Users\Admin\Pictures\Adobe Films\tLx8LPKsVcx6ROGQHOAthLrV.exe

MD5 3f22bd82ee1b38f439e6354c60126d6d
SHA1 63b57d818f86ea64ebc8566faeb0c977839defde
SHA256 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512 b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll

MD5 f07ac9ecb112c1dd62ac600b76426bd3
SHA1 8ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA256 28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512 777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll

MD5 f07ac9ecb112c1dd62ac600b76426bd3
SHA1 8ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA256 28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512 777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

C:\Users\Admin\AppData\Local\Temp\pidhtmpfile.tmp

MD5 1da546f25222c1ee710cf7e2f7a3ff0c
SHA1 6c9fd17cbc0f4e0fcd99844e21d53210d31a717a
SHA256 479904cc2d928ec415b03c0c66f914e9e8e630042f82eb5066d59dd7dc7a0f48
SHA512 1f0d10d3f36e3a879e4dc98238e667df20f91cc50ef7afb9d07b372fb98cdca7cb05d2b9db595e8fdf996dfbfb6be8b25ed21b388a6ed56eca5cb427056451fe

memory/2972-459-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2972-460-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2972-461-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2972-462-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1612-463-0x0000000000639000-0x000000000065C000-memory.dmp

memory/3280-464-0x00000000007F9000-0x0000000000822000-memory.dmp

memory/3280-465-0x00000000004D0000-0x000000000061A000-memory.dmp

memory/3280-466-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4392-467-0x0000000000520000-0x000000000066A000-memory.dmp

memory/4392-468-0x0000000002180000-0x0000000002254000-memory.dmp

memory/4392-469-0x0000000000400000-0x0000000000518000-memory.dmp

memory/1612-470-0x0000000001FC0000-0x0000000001FF0000-memory.dmp

memory/1612-471-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/3224-472-0x0000000002ED0000-0x0000000002EE5000-memory.dmp