nymaim | 84c4fe56c2361a095ea3a1cb743b434b4ea995429ddc3171af6501c92b478828

Analysis

max time kernel
8s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-06-2022 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a939f94e21313abc147331a7aeea1c53.exe
Size

11.2MB
MD5

a939f94e21313abc147331a7aeea1c53
SHA1

d0b849ee969baf2ffce1f5066e34ff7bc96a307b
SHA256

84c4fe56c2361a095ea3a1cb743b434b4ea995429ddc3171af6501c92b478828
SHA512

f8f9f544ea6a64ceace1c199145cf1d2e009c5768628d3dd50950a584deaf9ddf7a9e4c591998efa3062d7d4580b74f7a50ea53e528655ac16dd2f6e314e1b7f

Score

10^/10

nymaim recordbreaker socelars agilenet stealer suricata themida trojan vmprotect

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/eurfrsa613/

Extracted

Family

nymaim

37.0.8.39

31.210.20.149

212.192.241.16

Extracted

Family

recordbreaker

http://5.42.199.87/

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2788	rundll32.exe	124
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2788	rundll32.exe	124

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000022edd-177.dat	family_socelars
behavioral2/files/0x0008000000022edd-209.dat	family_socelars

suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

setup_install.exe62a80ecbc246c_9763cc7.exe62a80ecb0ed83_595061af6.exe62a80ecc8120e_91be93d60.exe62a80ecd5e9a9_e144f2.exe62a80ed360d17_a9a15e2.exe62a80ed1cbd2e_5edde3.exe62a80ed92b6cc_f58bd64337.exe62a80ed4eaa31_cf44d5e0f6.exe62a80ed66841d_f5a640c73e.exe62a80ed7c3158_e3388f.exe

pid	Process
3028	setup_install.exe
4304	62a80ecbc246c_9763cc7.exe
4308	62a80ecb0ed83_595061af6.exe
4416	62a80ecc8120e_91be93d60.exe
4196	62a80ecd5e9a9_e144f2.exe
1096	62a80ed360d17_a9a15e2.exe
1332	62a80ed1cbd2e_5edde3.exe
4044	62a80ed92b6cc_f58bd64337.exe
1776	62a80ed4eaa31_cf44d5e0f6.exe
1388	62a80ed66841d_f5a640c73e.exe
1244	62a80ed7c3158_e3388f.exe

VMProtect packed file 12 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/files/0x0007000000022ed8-159.dat	vmprotect
behavioral2/files/0x0007000000022edb-169.dat	vmprotect
behavioral2/files/0x0007000000022ed8-185.dat	vmprotect
behavioral2/memory/4044-191-0x0000000000D30000-0x0000000001755000-memory.dmp	vmprotect
behavioral2/files/0x0007000000022edb-180.dat	vmprotect
behavioral2/memory/4044-203-0x0000000000D30000-0x0000000001755000-memory.dmp	vmprotect
behavioral2/memory/1776-200-0x0000000140000000-0x000000014067E000-memory.dmp	vmprotect
behavioral2/memory/4044-256-0x0000000000D30000-0x0000000001755000-memory.dmp	vmprotect
behavioral2/memory/4044-324-0x0000000000D30000-0x0000000001755000-memory.dmp	vmprotect
behavioral2/memory/4044-326-0x0000000000D30000-0x0000000001755000-memory.dmp	vmprotect
behavioral2/memory/4044-327-0x0000000000D30000-0x0000000001755000-memory.dmp	vmprotect
behavioral2/memory/3916-390-0x0000000140000000-0x0000000140679000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a939f94e21313abc147331a7aeea1c53.exe62a80ecc8120e_91be93d60.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	a939f94e21313abc147331a7aeea1c53.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	62a80ecc8120e_91be93d60.exe

Loads dropped DLL 1 IoCs

Processes:

setup_install.exe

pid	Process
3028	setup_install.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/files/0x0007000000022ed3-153.dat	agile_net
behavioral2/memory/4304-171-0x0000000000CF0000-0x0000000000D32000-memory.dmp	agile_net
behavioral2/files/0x0007000000022ed3-139.dat	agile_net

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/files/0x0007000000022edb-169.dat	themida
behavioral2/memory/4044-191-0x0000000000D30000-0x0000000001755000-memory.dmp	themida
behavioral2/files/0x0007000000022edb-180.dat	themida
behavioral2/memory/4044-203-0x0000000000D30000-0x0000000001755000-memory.dmp	themida
behavioral2/memory/4044-256-0x0000000000D30000-0x0000000001755000-memory.dmp	themida
behavioral2/memory/4044-324-0x0000000000D30000-0x0000000001755000-memory.dmp	themida
behavioral2/memory/4044-326-0x0000000000D30000-0x0000000001755000-memory.dmp	themida
behavioral2/memory/4044-327-0x0000000000D30000-0x0000000001755000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
18	ip-api.com
161	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1336	1096	WerFault.exe	91
4744	1776	WerFault.exe	95
1864	1096	WerFault.exe	91
1524	1616	WerFault.exe
1544	1096	WerFault.exe	91
4652	1096	WerFault.exe	91
1280	1096	WerFault.exe	91
876	1096	WerFault.exe	91
1988	1096	WerFault.exe	91
4448	1096	WerFault.exe	91
3512	1096	WerFault.exe	91
5592	3044	WerFault.exe	187
6068	3044	WerFault.exe	187
5464	3044	WerFault.exe	187
5260	4956	WerFault.exe	216
5332	3044	WerFault.exe	187
6092	3916	WerFault.exe	214
692	3044	WerFault.exe	187

Kills process with taskkill 3 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid	Process
5372	taskkill.exe
4076	taskkill.exe
4312	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4272	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
4300	powershell.exe
4300	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4308	WerFault.exe
Token: SeDebugPrivilege	4300	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

62a80ecc8120e_91be93d60.exe

pid	Process
4416	62a80ecc8120e_91be93d60.exe
4416	62a80ecc8120e_91be93d60.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a939f94e21313abc147331a7aeea1c53.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 3272 wrote to memory of 3028	3272	a939f94e21313abc147331a7aeea1c53.exe	79
PID 3272 wrote to memory of 3028	3272	a939f94e21313abc147331a7aeea1c53.exe	79
PID 3272 wrote to memory of 3028	3272	a939f94e21313abc147331a7aeea1c53.exe	79
PID 3028 wrote to memory of 2444	3028	setup_install.exe	82
PID 3028 wrote to memory of 2444	3028	setup_install.exe	82
PID 3028 wrote to memory of 2444	3028	setup_install.exe	82
PID 3028 wrote to memory of 4732	3028	setup_install.exe	83
PID 3028 wrote to memory of 4732	3028	setup_install.exe	83
PID 3028 wrote to memory of 4732	3028	setup_install.exe	83
PID 3028 wrote to memory of 1540	3028	setup_install.exe	84
PID 3028 wrote to memory of 1540	3028	setup_install.exe	84
PID 3028 wrote to memory of 1540	3028	setup_install.exe	84
PID 3028 wrote to memory of 4560	3028	setup_install.exe	85
PID 3028 wrote to memory of 4560	3028	setup_install.exe	85
PID 3028 wrote to memory of 4560	3028	setup_install.exe	85
PID 3028 wrote to memory of 3508	3028	setup_install.exe	86
PID 3028 wrote to memory of 3508	3028	setup_install.exe	86
PID 3028 wrote to memory of 3508	3028	setup_install.exe	86
PID 3028 wrote to memory of 4336	3028	setup_install.exe	87
PID 3028 wrote to memory of 4336	3028	setup_install.exe	87
PID 3028 wrote to memory of 4336	3028	setup_install.exe	87
PID 3028 wrote to memory of 4220	3028	setup_install.exe	107
PID 3028 wrote to memory of 4220	3028	setup_install.exe	107
PID 3028 wrote to memory of 4220	3028	setup_install.exe	107
PID 4732 wrote to memory of 4308	4732	cmd.exe	103
PID 4732 wrote to memory of 4308	4732	cmd.exe	103
PID 1540 wrote to memory of 4304	1540	cmd.exe	104
PID 1540 wrote to memory of 4304	1540	cmd.exe	104
PID 1540 wrote to memory of 4304	1540	cmd.exe	104
PID 2444 wrote to memory of 4300	2444	cmd.exe	106
PID 2444 wrote to memory of 4300	2444	cmd.exe	106
PID 2444 wrote to memory of 4300	2444	cmd.exe	106
PID 4560 wrote to memory of 4416	4560	cmd.exe	105
PID 4560 wrote to memory of 4416	4560	cmd.exe	105
PID 4560 wrote to memory of 4416	4560	cmd.exe	105
PID 3508 wrote to memory of 4196	3508	cmd.exe	88
PID 3508 wrote to memory of 4196	3508	cmd.exe	88
PID 3508 wrote to memory of 4196	3508	cmd.exe	88
PID 3028 wrote to memory of 1532	3028	setup_install.exe	102
PID 3028 wrote to memory of 1532	3028	setup_install.exe	102
PID 3028 wrote to memory of 1532	3028	setup_install.exe	102
PID 4220 wrote to memory of 1096	4220	cmd.exe	91
PID 4220 wrote to memory of 1096	4220	cmd.exe	91
PID 4220 wrote to memory of 1096	4220	cmd.exe	91
PID 3028 wrote to memory of 3580	3028	setup_install.exe	90
PID 3028 wrote to memory of 3580	3028	setup_install.exe	90
PID 3028 wrote to memory of 3580	3028	setup_install.exe	90
PID 3028 wrote to memory of 1764	3028	setup_install.exe	89
PID 3028 wrote to memory of 1764	3028	setup_install.exe	89
PID 3028 wrote to memory of 1764	3028	setup_install.exe	89
PID 3028 wrote to memory of 2976	3028	setup_install.exe	92
PID 3028 wrote to memory of 2976	3028	setup_install.exe	92
PID 3028 wrote to memory of 2976	3028	setup_install.exe	92
PID 4336 wrote to memory of 1332	4336	cmd.exe	101
PID 4336 wrote to memory of 1332	4336	cmd.exe	101
PID 4336 wrote to memory of 1332	4336	cmd.exe	101
PID 3028 wrote to memory of 3732	3028	setup_install.exe	100
PID 3028 wrote to memory of 3732	3028	setup_install.exe	100
PID 3028 wrote to memory of 3732	3028	setup_install.exe	100
PID 3028 wrote to memory of 208	3028	setup_install.exe	93
PID 3028 wrote to memory of 208	3028	setup_install.exe	93
PID 3028 wrote to memory of 208	3028	setup_install.exe	93
PID 2976 wrote to memory of 4044	2976	cmd.exe	99
PID 2976 wrote to memory of 4044	2976	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\a939f94e21313abc147331a7aeea1c53.exe
"C:\Users\Admin\AppData\Local\Temp\a939f94e21313abc147331a7aeea1c53.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ecb0ed83_595061af6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecb0ed83_595061af6.exe
      62a80ecb0ed83_595061af6.exe
      4⤵
      Executes dropped EXE
      PID:4308
    - - C:\Users\Admin\AppData\Roaming\172322.exe
        
        "C:\Users\Admin\AppData\Roaming\172322.exe"
        5⤵
        
        PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ecbc246c_9763cc7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecbc246c_9763cc7.exe
      62a80ecbc246c_9763cc7.exe
      4⤵
      Executes dropped EXE
      PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ecc8120e_91be93d60.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecc8120e_91be93d60.exe
      62a80ecc8120e_91be93d60.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ecd5e9a9_e144f2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecd5e9a9_e144f2.exe
      62a80ecd5e9a9_e144f2.exe
      4⤵
      Executes dropped EXE
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ed1cbd2e_5edde3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed1cbd2e_5edde3.exe
      62a80ed1cbd2e_5edde3.exe
      4⤵
      Executes dropped EXE
      PID:1332
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PL9KAATD.cpL",
        5⤵
        
        PID:2376
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PL9KAATD.cpL",
        6⤵
        
        PID:4736
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PL9KAATD.cpL",
        7⤵
        
        PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ed7c3158_e3388f.exe
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed7c3158_e3388f.exe
      62a80ed7c3158_e3388f.exe
      4⤵
      Executes dropped EXE
      PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\is-JA11E.tmp\62a80ed7c3158_e3388f.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JA11E.tmp\62a80ed7c3158_e3388f.tmp" /SL5="$101E6,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed7c3158_e3388f.exe"
        5⤵
        
        PID:2920
      - C:\Users\Admin\AppData\Local\Temp\is-9SCNF.tmp\ikos.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-9SCNF.tmp\ikos.exe" /S /UID=1405
        6⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\e0-913a1-b37-a28bb-adab113e571fe\Vozhokylesae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0-913a1-b37-a28bb-adab113e571fe\Vozhokylesae.exe"
        7⤵
        
        PID:2464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        8⤵
        
        PID:2500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe0f5246f8,0x7ffe0f524708,0x7ffe0f524718
        9⤵
        
        PID:2496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        9⤵
        
        PID:1844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        9⤵
        
        PID:808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3260 /prefetch:8
        9⤵
        
        PID:2548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
        9⤵
        
        PID:2408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
        9⤵
        
        PID:1304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 /prefetch:8
        9⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
        9⤵
        
        PID:4572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
        9⤵
        
        PID:5204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
        9⤵
        
        PID:5456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
        9⤵
        
        PID:5708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
        9⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5548 /prefetch:8
        9⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
        9⤵
        
        PID:1236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8717468871266206519,4567943200838234270,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
        9⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\ba-8b3b1-aac-935b0-a321259a16e6a\Kasumilaebo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ba-8b3b1-aac-935b0-a321259a16e6a\Kasumilaebo.exe"
        7⤵
        
        PID:4020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0jify5ef.lsj\installer.exe /qn CAMPAIGN= & exit
        8⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\0jify5ef.lsj\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\0jify5ef.lsj\installer.exe /qn CAMPAIGN=
        9⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN="" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\0jify5ef.lsj\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\0jify5ef.lsj\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1655398721 /qn CAMPAIGN= " CAMPAIGN=""
        10⤵
        
        PID:5720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\54j4skb4.4ja\161.exe /silent /subid=798 & exit
        8⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\54j4skb4.4ja\161.exe
        
        C:\Users\Admin\AppData\Local\Temp\54j4skb4.4ja\161.exe /silent /subid=798
        9⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\is-S1DNL.tmp\161.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S1DNL.tmp\161.tmp" /SL5="$801CC,15170975,270336,C:\Users\Admin\AppData\Local\Temp\54j4skb4.4ja\161.exe" /silent /subid=798
        10⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        11⤵
        
        PID:5592
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        12⤵
        
        PID:5608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z3px4deh.pex\gcleaner.exe /mixfive & exit
        8⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\z3px4deh.pex\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\z3px4deh.pex\gcleaner.exe /mixfive
        9⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 456
        10⤵
        Program crash
        
        PID:5592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 768
        10⤵
        Program crash
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 808
        10⤵
        Program crash
        
        PID:5464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 800
        10⤵
        Program crash
        
        PID:5332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 828
        10⤵
        Program crash
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\owkjzh5s.ivo\random.exe & exit
        8⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\owkjzh5s.ivo\random.exe
        
        C:\Users\Admin\AppData\Local\Temp\owkjzh5s.ivo\random.exe
        9⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\owkjzh5s.ivo\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\owkjzh5s.ivo\random.exe" help
        10⤵
        
        PID:5608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xcxp0nl4.53d\handselfdiy_0.exe & exit
        8⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\xcxp0nl4.53d\handselfdiy_0.exe
        
        C:\Users\Admin\AppData\Local\Temp\xcxp0nl4.53d\handselfdiy_0.exe
        9⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:5372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        10⤵
        
        PID:5376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe0c2e4f50,0x7ffe0c2e4f60,0x7ffe0c2e4f70
        11⤵
        
        PID:3668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vbiobl3q.anb\wDzAUYj.exe & exit
        8⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\vbiobl3q.anb\wDzAUYj.exe
        
        C:\Users\Admin\AppData\Local\Temp\vbiobl3q.anb\wDzAUYj.exe
        9⤵
        
        PID:5856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vswuidhi.rcb\rmaa1045.exe & exit
        8⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\vswuidhi.rcb\rmaa1045.exe
        
        C:\Users\Admin\AppData\Local\Temp\vswuidhi.rcb\rmaa1045.exe
        9⤵
        
        PID:3916
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3916 -s 348
        10⤵
        Program crash
        
        PID:6092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lmxfim0i.wpv\installer.exe /qn CAMPAIGN=654 & exit
        8⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\lmxfim0i.wpv\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\lmxfim0i.wpv\installer.exe /qn CAMPAIGN=654
        9⤵
        
        PID:6116
        
        C:\Program Files\Microsoft Office 15\JRPDEUPLRU\poweroff.exe
        
        "C:\Program Files\Microsoft Office 15\JRPDEUPLRU\poweroff.exe" /VERYSILENT
        7⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\is-32UQL.tmp\poweroff.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-32UQL.tmp\poweroff.tmp" /SL5="$20206,490199,350720,C:\Program Files\Microsoft Office 15\JRPDEUPLRU\poweroff.exe" /VERYSILENT
        8⤵
        
        PID:4144
        
        C:\Program Files (x86)\powerOff\Power Off.exe
        
        "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
        9⤵
        
        PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ed66841d_f5a640c73e.exe
    3⤵
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed66841d_f5a640c73e.exe
      62a80ed66841d_f5a640c73e.exe
      4⤵
      Executes dropped EXE
      PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed66841d_f5a640c73e.exe
        
        62a80ed66841d_f5a640c73e.exe
        5⤵
        
        PID:736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ed92b6cc_f58bd64337.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed92b6cc_f58bd64337.exe
      62a80ed92b6cc_f58bd64337.exe
      4⤵
      Executes dropped EXE
      PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80edbdf738_95ab138.exe
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80edbdf738_95ab138.exe
      62a80edbdf738_95ab138.exe
      4⤵
      PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:548
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:4076
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        
        PID:3868
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0c184f50,0x7ffe0c184f60,0x7ffe0c184f70
        6⤵
        
        PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80edccff90_9800c62d9.exe
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80edccff90_9800c62d9.exe
      62a80edccff90_9800c62d9.exe
      4⤵
      PID:4724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80edccff90_9800c62d9.exe" >> NUL
        5⤵
        
        PID:460
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ed9cb66c_6d6b769.exe
    3⤵
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed9cb66c_6d6b769.exe
      62a80ed9cb66c_6d6b769.exe
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ed4eaa31_cf44d5e0f6.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a80ed360d17_a9a15e2.exe /mixtwo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220

C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed360d17_a9a15e2.exe
62a80ed360d17_a9a15e2.exe /mixtwo
1⤵
- Executes dropped EXE
PID:1096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 464
  2⤵
  - Program crash
  PID:1336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 772
  2⤵
  - Program crash
  PID:1864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 780
  2⤵
  - Program crash
  PID:1544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 824
  2⤵
  - Program crash
  PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 832
  2⤵
  - Program crash
  PID:1280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1016
  2⤵
  - Program crash
  PID:876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1028
  2⤵
  - Program crash
  PID:1988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1392
  2⤵
  - Program crash
  PID:4448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "62a80ed360d17_a9a15e2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed360d17_a9a15e2.exe" & exit
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "62a80ed360d17_a9a15e2.exe" /f
    3⤵
    - Kills process with taskkill
    PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1328
  2⤵
  - Program crash
  PID:3512

C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed4eaa31_cf44d5e0f6.exe
62a80ed4eaa31_cf44d5e0f6.exe
1⤵
- Executes dropped EXE
PID:1776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1776 -s 704
  2⤵
  - Program crash
  PID:4744

C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecc8120e_91be93d60.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecc8120e_91be93d60.exe" help
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1096 -ip 1096
1⤵
PID:2956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 1776 -ip 1776
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1096 -ip 1096
1⤵
PID:1484

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:3448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1616 -ip 1616
1⤵
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 600
1⤵
- Program crash
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1096 -ip 1096
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 1096
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1096 -ip 1096
1⤵
PID:3116

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\PL9KAATD.cpL",
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1096 -ip 1096
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1096 -ip 1096
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1096 -ip 1096
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1096 -ip 1096
1⤵
PID:372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 462D7D32F6560B1E8C435D2C62E797FE C
  2⤵
  PID:5580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A1A180E0DC005B8A5BEFD56F64C165AA
  2⤵
  PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3044 -ip 3044
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3044 -ip 3044
1⤵
PID:6012

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:3996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 608
    3⤵
    - Program crash
    PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3044 -ip 3044
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4956 -ip 4956
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3044 -ip 3044
1⤵
PID:4272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3916 -ip 3916
1⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3044 -ip 3044
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3044 -ip 3044
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\powerOff\Power Off.exe

Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files (x86)\powerOff\Power Off.exe

Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files\Microsoft Office 15\JRPDEUPLRU\poweroff.exe

Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Program Files\Microsoft Office 15\JRPDEUPLRU\poweroff.exe

Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk

Filesize
1KB

MD5
5ee42434d42e192ee499368a68b94a2e

SHA1
cfa5bb1bd3cfe30f8eb6250c53cad2d87cc1bacb

SHA256
6c1ead7a31b16392016c5ed3979c2c5f9376ca2fa974475f9966b0135cd45f7d

SHA512
c1ca7b8d68c2c5362832f4a5c3a61a532729f4e7a9fa84a2bc410576ab6b525bed1ae957600cc663005f97283ef858a17e9fffd052cc32a009fc8cb07a52d90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0jify5ef.lsj\installer.exe

Filesize
4.5MB

MD5
4113cbe4628131ffe796cda8314b9d0c

SHA1
cf7be74c1ebb054ec30ee39bd4de66aad8e06bd7

SHA256
4fd44841e621e1e59bea1e6cd326555bca489440646f6e3e0a6f94ade6b28ade

SHA512
870f51a8fbbce701c2f52cb7faaf3633ddbdebca233c57b8330e54f1ce772ad4c0d2df819bf58b96fc57e0faf16253ffcee787c93a5e04b414fde957705a3c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\0jify5ef.lsj\installer.exe

Filesize
4.5MB

MD5
4113cbe4628131ffe796cda8314b9d0c

SHA1
cf7be74c1ebb054ec30ee39bd4de66aad8e06bd7

SHA256
4fd44841e621e1e59bea1e6cd326555bca489440646f6e3e0a6f94ade6b28ade

SHA512
870f51a8fbbce701c2f52cb7faaf3633ddbdebca233c57b8330e54f1ce772ad4c0d2df819bf58b96fc57e0faf16253ffcee787c93a5e04b414fde957705a3c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecb0ed83_595061af6.exe

Filesize
157KB

MD5
bde63fbba07c724aee393ea1b290e632

SHA1
e5b26db4b84292d5afc542035dfa425bcfa763e5

SHA256
b787ca01602942f97870727418a7c48cacbc834c6cc3d87f93e5b234286ab73c

SHA512
c188e1ef4f7bff83c917966354dd4468af2d11c5cccf173d620711f107a992903f13e23944e6efb3689487fbdca152a4fc52a9be92b88f46714832556a28210d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecb0ed83_595061af6.exe

Filesize
157KB

MD5
bde63fbba07c724aee393ea1b290e632

SHA1
e5b26db4b84292d5afc542035dfa425bcfa763e5

SHA256
b787ca01602942f97870727418a7c48cacbc834c6cc3d87f93e5b234286ab73c

SHA512
c188e1ef4f7bff83c917966354dd4468af2d11c5cccf173d620711f107a992903f13e23944e6efb3689487fbdca152a4fc52a9be92b88f46714832556a28210d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecbc246c_9763cc7.exe

Filesize
242KB

MD5
2db62b3e5088b61ead161e0482b2f6f2

SHA1
a13b707e24ae6269631ce1099263cbc793f4b2a1

SHA256
c277eac5a2f147b839219c2327a2d7e6c85be9dabe91c8a92b553e2cadc9e3c3

SHA512
9c287e38c61c28ee0fce45b8734a979d6c74dbdd8648327ac7f7d24e9a2c07736eff70f2f8ca33ddd6196d4b629865ae35abd0de8e784e989179618aa1d72774

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecbc246c_9763cc7.exe

Filesize
242KB

MD5
2db62b3e5088b61ead161e0482b2f6f2

SHA1
a13b707e24ae6269631ce1099263cbc793f4b2a1

SHA256
c277eac5a2f147b839219c2327a2d7e6c85be9dabe91c8a92b553e2cadc9e3c3

SHA512
9c287e38c61c28ee0fce45b8734a979d6c74dbdd8648327ac7f7d24e9a2c07736eff70f2f8ca33ddd6196d4b629865ae35abd0de8e784e989179618aa1d72774

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecc8120e_91be93d60.exe

Filesize
312KB

MD5
0cad21764fe956f3028096ff3ff37549

SHA1
09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

SHA256
f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

SHA512
4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecc8120e_91be93d60.exe

Filesize
312KB

MD5
0cad21764fe956f3028096ff3ff37549

SHA1
09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

SHA256
f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

SHA512
4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecc8120e_91be93d60.exe

Filesize
312KB

MD5
0cad21764fe956f3028096ff3ff37549

SHA1
09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

SHA256
f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

SHA512
4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecd5e9a9_e144f2.exe

Filesize
258KB

MD5
d465aa90da9ea6f24bea6d528c30a287

SHA1
6067d313eb051aa57be8013ba97baec1645e9ac2

SHA256
2867982057974e857dfcbf0b947af885b9f5446c7bfe64cee68eea3ca0580b87

SHA512
103ca4db25392ecb2cab9a5c887286a6f35bee4a57b9d75f5f31a8cea273278f032a57af2d244e31d1452688b428d5b3d12749a91906e7baf69c561e1d931079

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ecd5e9a9_e144f2.exe

Filesize
258KB

MD5
d465aa90da9ea6f24bea6d528c30a287

SHA1
6067d313eb051aa57be8013ba97baec1645e9ac2

SHA256
2867982057974e857dfcbf0b947af885b9f5446c7bfe64cee68eea3ca0580b87

SHA512
103ca4db25392ecb2cab9a5c887286a6f35bee4a57b9d75f5f31a8cea273278f032a57af2d244e31d1452688b428d5b3d12749a91906e7baf69c561e1d931079

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed1cbd2e_5edde3.exe

Filesize
2.2MB

MD5
19edbc55555194e7f34d04f4d7679bae

SHA1
bf88d6491d5aa2cd3d84e1fa90869f8e24181f2a

SHA256
f66b6010d742b18d2da0373416424314d3008657583f641cf54f40015a38d1fa

SHA512
370f77e94f48b058d1244c993a49de0c82ff681033075099d454b441bb2d25b50e2c8bbe2868b2a82f0b343889f8fbceff4cdf1f2283e8969ecd8ea72e8c31a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed1cbd2e_5edde3.exe

Filesize
2.2MB

MD5
19edbc55555194e7f34d04f4d7679bae

SHA1
bf88d6491d5aa2cd3d84e1fa90869f8e24181f2a

SHA256
f66b6010d742b18d2da0373416424314d3008657583f641cf54f40015a38d1fa

SHA512
370f77e94f48b058d1244c993a49de0c82ff681033075099d454b441bb2d25b50e2c8bbe2868b2a82f0b343889f8fbceff4cdf1f2283e8969ecd8ea72e8c31a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed360d17_a9a15e2.exe

Filesize
344KB

MD5
b2ce5ea1ef062585207c42f726fd1a6b

SHA1
ec85253c2b912b972789da7d3af03b03a7a01c09

SHA256
e974a3167e00f148cf45ba80245aa5c24606f0b3d014923c8816ad526b131f75

SHA512
6f9e7f9a705d6d08147921cabe79c7621d279812be4b2862aedd41db21ef8081d569c3c00ac53f1b799ecd11b03242a56eee65034bca6e9aa2a00d6e3c109b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed360d17_a9a15e2.exe

Filesize
344KB

MD5
b2ce5ea1ef062585207c42f726fd1a6b

SHA1
ec85253c2b912b972789da7d3af03b03a7a01c09

SHA256
e974a3167e00f148cf45ba80245aa5c24606f0b3d014923c8816ad526b131f75

SHA512
6f9e7f9a705d6d08147921cabe79c7621d279812be4b2862aedd41db21ef8081d569c3c00ac53f1b799ecd11b03242a56eee65034bca6e9aa2a00d6e3c109b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed4eaa31_cf44d5e0f6.exe

Filesize
3.7MB

MD5
9aad8db023b0e3bc160945271eafbc61

SHA1
73d292f822e700242b86f9c9ddf86908e06e9595

SHA256
a8367a7431645f8cc097560525774ab83696918ebf3ea97e80f1d15ae893f65f

SHA512
eacd66f7270040dd0f3040749ebe648c88b3a88224ca3797caf86590652a38425331781aad2c866738c91fc967974d091c416eb30652155eadd2a693cc9ce294

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed4eaa31_cf44d5e0f6.exe

Filesize
3.7MB

MD5
9aad8db023b0e3bc160945271eafbc61

SHA1
73d292f822e700242b86f9c9ddf86908e06e9595

SHA256
a8367a7431645f8cc097560525774ab83696918ebf3ea97e80f1d15ae893f65f

SHA512
eacd66f7270040dd0f3040749ebe648c88b3a88224ca3797caf86590652a38425331781aad2c866738c91fc967974d091c416eb30652155eadd2a693cc9ce294

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed66841d_f5a640c73e.exe

Filesize
258KB

MD5
366be44d4c3ad98abab2bcb8ced5d4b8

SHA1
c0379348f68335940aea60deb1342302f4474ac9

SHA256
b4c6b6753791ea98b043a67e0b03412b3d37cf92a7df4535c6bdb274d0e2246a

SHA512
3469505814df97d438ebd67eed1efa7e73826f0326fe072658c3e048bb86bf540acf3517b09aded43659415a2183fc9073c4bb790029d6169f5e90c5080165ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed66841d_f5a640c73e.exe

Filesize
258KB

MD5
366be44d4c3ad98abab2bcb8ced5d4b8

SHA1
c0379348f68335940aea60deb1342302f4474ac9

SHA256
b4c6b6753791ea98b043a67e0b03412b3d37cf92a7df4535c6bdb274d0e2246a

SHA512
3469505814df97d438ebd67eed1efa7e73826f0326fe072658c3e048bb86bf540acf3517b09aded43659415a2183fc9073c4bb790029d6169f5e90c5080165ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed66841d_f5a640c73e.exe

Filesize
258KB

MD5
366be44d4c3ad98abab2bcb8ced5d4b8

SHA1
c0379348f68335940aea60deb1342302f4474ac9

SHA256
b4c6b6753791ea98b043a67e0b03412b3d37cf92a7df4535c6bdb274d0e2246a

SHA512
3469505814df97d438ebd67eed1efa7e73826f0326fe072658c3e048bb86bf540acf3517b09aded43659415a2183fc9073c4bb790029d6169f5e90c5080165ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed7c3158_e3388f.exe

Filesize
752KB

MD5
e57b3f11829f7f85d0e482043f8a6bd4

SHA1
5a7e389a273d75c845f754039d3faa15e0aac501

SHA256
7195edba387ee58556e027f17bc09f4b43db205ab89485e90863af84f2252517

SHA512
b9f977908b23559d57076a019117324c684d9f47542532fdcd0bb49b17e7079a117faa800c1cd2a019becc980f4553f4c8ae83a36658a96d0cbe8f2241f68de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed7c3158_e3388f.exe

Filesize
752KB

MD5
e57b3f11829f7f85d0e482043f8a6bd4

SHA1
5a7e389a273d75c845f754039d3faa15e0aac501

SHA256
7195edba387ee58556e027f17bc09f4b43db205ab89485e90863af84f2252517

SHA512
b9f977908b23559d57076a019117324c684d9f47542532fdcd0bb49b17e7079a117faa800c1cd2a019becc980f4553f4c8ae83a36658a96d0cbe8f2241f68de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed92b6cc_f58bd64337.exe

Filesize
4.5MB

MD5
96eaf962907d9de03a086ef2dcba05a6

SHA1
b14b5bc9c72138c17e15962557c2762236f3889e

SHA256
8f490fef13cc3c9f984aa8289b5e49929c042702a9a5a281b0686ef94ee6f3b0

SHA512
9a2896c43e5acbd86e8dc7ca1b72f0493c533536eb3eb0a4b554b57e65050278c0e570ea82ba31bd19948846c09c692426921161656a23f4580a518c04b63ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed92b6cc_f58bd64337.exe

Filesize
4.5MB

MD5
96eaf962907d9de03a086ef2dcba05a6

SHA1
b14b5bc9c72138c17e15962557c2762236f3889e

SHA256
8f490fef13cc3c9f984aa8289b5e49929c042702a9a5a281b0686ef94ee6f3b0

SHA512
9a2896c43e5acbd86e8dc7ca1b72f0493c533536eb3eb0a4b554b57e65050278c0e570ea82ba31bd19948846c09c692426921161656a23f4580a518c04b63ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed9cb66c_6d6b769.exe

Filesize
212KB

MD5
8595eb1a87c49b9b940b46524e1fdf87

SHA1
59622f56b46c724876fce597df797512b6b3d12d

SHA256
77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c

SHA512
cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80ed9cb66c_6d6b769.exe

Filesize
212KB

MD5
8595eb1a87c49b9b940b46524e1fdf87

SHA1
59622f56b46c724876fce597df797512b6b3d12d

SHA256
77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c

SHA512
cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80edbdf738_95ab138.exe

Filesize
1.4MB

MD5
16047899f018bb9d127c4ee52dc3cb21

SHA1
91372e6e79cf305f9b4b1def9a60ca284c553bf6

SHA256
1c8ee98f8f3dbf9261a5a0ff2ffcd8efc006b181d629edc1edc3d21b351afb8c

SHA512
34a09d10cb56004e8a7192a2292e76a789f3710183bb011061f40642d1819fcd15c7b4d9d7a9642404122eba81335ae853c59db75e79f35c6c3a764a76a81a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80edbdf738_95ab138.exe

Filesize
1.4MB

MD5
16047899f018bb9d127c4ee52dc3cb21

SHA1
91372e6e79cf305f9b4b1def9a60ca284c553bf6

SHA256
1c8ee98f8f3dbf9261a5a0ff2ffcd8efc006b181d629edc1edc3d21b351afb8c

SHA512
34a09d10cb56004e8a7192a2292e76a789f3710183bb011061f40642d1819fcd15c7b4d9d7a9642404122eba81335ae853c59db75e79f35c6c3a764a76a81a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80edccff90_9800c62d9.exe

Filesize
78KB

MD5
1168874d80610147a7ed9130fe3eede2

SHA1
ef0e0c3482542ada798ca060ce2b20351de3e6fc

SHA256
7f89c4ff29879e906b8b290ecb6aeef2358a216d2ad104e590b23fac88614ccb

SHA512
b8f94bcfb5d0b58113d8d2aea4fb2f0dce0146db10db66e1701bcf1d568ad7031850d33c61c21521b606e8d7ee8c4ab780079dc6064a599bf303090d2886dc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\62a80edccff90_9800c62d9.exe

Filesize
78KB

MD5
1168874d80610147a7ed9130fe3eede2

SHA1
ef0e0c3482542ada798ca060ce2b20351de3e6fc

SHA256
7f89c4ff29879e906b8b290ecb6aeef2358a216d2ad104e590b23fac88614ccb

SHA512
b8f94bcfb5d0b58113d8d2aea4fb2f0dce0146db10db66e1701bcf1d568ad7031850d33c61c21521b606e8d7ee8c4ab780079dc6064a599bf303090d2886dc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\setup_install.exe

Filesize
2.1MB

MD5
c385238e0ca77a87c7a5182157b8ccf8

SHA1
89d027538ee7220610d591a2da801519f6f4723e

SHA256
a287369ba7a9b3fd1d74058b0362c83cba29e42cb3318f5c30991f06ff69d601

SHA512
3e4176d3dca4f76061fe434469aa194bb588738cc8bc0bde4841a6ed83e967f2eb95e6257559d4c0d53523d20d8f4a827f864fc328893e5cb67925efae9e0177

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8CC5E7F6\setup_install.exe

Filesize
2.1MB

MD5
c385238e0ca77a87c7a5182157b8ccf8

SHA1
89d027538ee7220610d591a2da801519f6f4723e

SHA256
a287369ba7a9b3fd1d74058b0362c83cba29e42cb3318f5c30991f06ff69d601

SHA512
3e4176d3dca4f76061fe434469aa194bb588738cc8bc0bde4841a6ed83e967f2eb95e6257559d4c0d53523d20d8f4a827f864fc328893e5cb67925efae9e0177

Download Submit
C:\Users\Admin\AppData\Local\Temp\PL9KAATD.cpL

Filesize
221.7MB

MD5
448307d3495516982799f07d4556b477

SHA1
8dfc3a6cbdde7a40e411b843c6e8260cb134d6f9

SHA256
0777d421d976fa296fca06300ab3f8aa3537d38b1883b77a226329101c006714

SHA512
fad3e02bd3dc74ef8273b95fa080ea84a8d8c2cfd32c7a3dcdd48d80085e61b0fc96005253796ca929577f1cc74bfdaf906aa577c52a20bdb79b7b78cb8a8343

Download Submit
C:\Users\Admin\AppData\Local\Temp\PL9kAATD.cpl

Filesize
220.9MB

MD5
e0c9080e7c36c56fda53f80be874c266

SHA1
c8f926490b33f0bb9d8c99fe83cdd0897c688398

SHA256
e896d0185b69ade1130f94dd905ee9eb47893982652f37ec5b80628875c031d4

SHA512
7a82efbd0721e338c6a3ad3104ef08e46bdb3584da60b80906b80b067aa193617e5e9d6b3e0a0fc89d8faa3effbf741f6d8e376e50887e9656563582c568e48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PL9kAATD.cpl

Filesize
219.2MB

MD5
2d3fa9afb1904bbdb75090495d667cbf

SHA1
d0077d825a0dae0d74a9d5cd9e056b933fe43317

SHA256
dac861ec0c7ac0fa1ce1b81035b0b25aa39bc30976f6f09202b4ed4cefb1a683

SHA512
7fd0a902e4a05121bec562f4675218f491d79cbd21dd5b6245b78ad663b0021ed71f82b3920dab1c21da819780b1744cffd4e330e0b425bc03070b647c945916

Download Submit
C:\Users\Admin\AppData\Local\Temp\PL9kAATD.cpl

Filesize
204.9MB

MD5
e2d560d0c0c1175969fbc9b33d95619b

SHA1
9c728d4d05046145d7e7cc423ca255fcb3a1e0c6

SHA256
d46ac2c52d03ee5a9f36da890e5e3ad5386ef7529fc3860e3af789fb3c9c85d4

SHA512
0fe36c1395c06e867fad53f2c6d1a62e4b704ef54f481c2f3d90cf7dbcfe147338c47e4882a2507c3510cf6997bb4bc233431f3550e3441918fb5f86d819033c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PL9kAATD.cpl

Filesize
205.5MB

MD5
53b705ca98f72fbcf864f26010f5c496

SHA1
e00a6617d186aa6300456df95188d4873ca708cd

SHA256
9ef104013071a96a06d19f236ea7bf2ea28446717f216ada16f79a2547d9fa99

SHA512
f9436fd3a84b07f7724247e5a0dffd172a9f6200fe3333ee616c56a15e23b67e12ff56b0a573afde4e255801ade9e8642fe9744b0c44d6c79e7f4b2c001fee19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba-8b3b1-aac-935b0-a321259a16e6a\Kasumilaebo.exe

Filesize
763KB

MD5
d7bf25d301f074b4b654bdd4a9a40fdf

SHA1
7e52b609b3a96b36cd6a064a3ba54b6733745a7d

SHA256
16312779077ce3e48eb29d11226d87d705aa176aab68adc2cb232ebe495fd956

SHA512
e05b20be918d81a2dd600d955a20fb59820613073a3655c5d4a66936679bb0109740c0b5a4e25316c2066949a6ddc34fe5dd1aca76e628ed62788b58c4e64bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba-8b3b1-aac-935b0-a321259a16e6a\Kasumilaebo.exe

Filesize
763KB

MD5
d7bf25d301f074b4b654bdd4a9a40fdf

SHA1
7e52b609b3a96b36cd6a064a3ba54b6733745a7d

SHA256
16312779077ce3e48eb29d11226d87d705aa176aab68adc2cb232ebe495fd956

SHA512
e05b20be918d81a2dd600d955a20fb59820613073a3655c5d4a66936679bb0109740c0b5a4e25316c2066949a6ddc34fe5dd1aca76e628ed62788b58c4e64bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba-8b3b1-aac-935b0-a321259a16e6a\Kasumilaebo.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba-8b3b1-aac-935b0-a321259a16e6a\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
215e381e9a16deb017b550e8a2480760

SHA1
56f4a18a314b001d2d1408e5825ed6bdf89b9f45

SHA256
6131812d6cdf3460443e46b4b348cb57e14c295c14fd78d7b994f9b790bfc491

SHA512
d1e7299b26928e8ebb08cc9d050bde2577c3f3170cfacf842e9fdabbe23c941e20445451860dbdbdc468a348b068a08447f193f7b2865140bf48920ae461197b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
7ffef7319bb7963fa71d05c0b3026f02

SHA1
e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

SHA256
4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

SHA512
dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
7ffef7319bb7963fa71d05c0b3026f02

SHA1
e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

SHA256
4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

SHA512
dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0-913a1-b37-a28bb-adab113e571fe\Vozhokylesae.exe

Filesize
575KB

MD5
b78cd54e9952b21140da7471ad414416

SHA1
6d017b99742c9af216189bc38f06661bfc9d37f3

SHA256
3168662154acbaad4d0d633d3c64756422447251ca2040bdce74487a7500a067

SHA512
51b12a58894a9e45b8f8e19667c207f06ea8f5ce1978e1564606a1558ad0fb0a4ed69b1504a42f423e811316f7b1d95d5f64d4a38f76c81f45696712db9bd374

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0-913a1-b37-a28bb-adab113e571fe\Vozhokylesae.exe

Filesize
575KB

MD5
b78cd54e9952b21140da7471ad414416

SHA1
6d017b99742c9af216189bc38f06661bfc9d37f3

SHA256
3168662154acbaad4d0d633d3c64756422447251ca2040bdce74487a7500a067

SHA512
51b12a58894a9e45b8f8e19667c207f06ea8f5ce1978e1564606a1558ad0fb0a4ed69b1504a42f423e811316f7b1d95d5f64d4a38f76c81f45696712db9bd374

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0-913a1-b37-a28bb-adab113e571fe\Vozhokylesae.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-32UQL.tmp\poweroff.tmp

Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-32UQL.tmp\poweroff.tmp

Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9SCNF.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9SCNF.tmp\ikos.exe

Filesize
351KB

MD5
1d1da7be5bc9dd771553277d35c003b5

SHA1
d17b7875445a31d16368a8869d8f964368855f50

SHA256
360ddd9a47cb06667cc853a63f36a77f642a50fc6d43a0a7163eae88b7336b95

SHA512
1b9b3aade403a1a87ee40bd11b3557d44d2c7a2795a7d948582494bd9c1eb52c07331964726442bbd357ddfb59415acc2b8fce56739b4dbaee8bcb3d4ddb57ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9SCNF.tmp\ikos.exe

Filesize
351KB

MD5
1d1da7be5bc9dd771553277d35c003b5

SHA1
d17b7875445a31d16368a8869d8f964368855f50

SHA256
360ddd9a47cb06667cc853a63f36a77f642a50fc6d43a0a7163eae88b7336b95

SHA512
1b9b3aade403a1a87ee40bd11b3557d44d2c7a2795a7d948582494bd9c1eb52c07331964726442bbd357ddfb59415acc2b8fce56739b4dbaee8bcb3d4ddb57ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JA11E.tmp\62a80ed7c3158_e3388f.tmp

Filesize
1.0MB

MD5
a5ea5f8ae934ab6efe216fc1e4d1b6dc

SHA1
cb52a9e2aa2aa0e6e82fa44879055003a91207d7

SHA256
be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e

SHA512
f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c

Download Submit
C:\Users\Admin\AppData\Roaming\172322.exe

Filesize
260KB

MD5
b06e4ac033140040ef6af107604b9d29

SHA1
99ccd25e6f46dce24681056a4df7e724bfe5ea21

SHA256
78bb97a75191e48a8ecfdd4f7c36c71bdf1779242fe5bee69d9eb364d368397f

SHA512
02809c7145ec3078392766b30356ae81303bc2a8e0ecbec7cd43ef575f9917cd0f59eed3356b8289aa1390592304e9710e7277c035f33900ba75e4b6813d00f4

Download Submit
C:\Users\Admin\AppData\Roaming\172322.exe

Filesize
260KB

MD5
b06e4ac033140040ef6af107604b9d29

SHA1
99ccd25e6f46dce24681056a4df7e724bfe5ea21

SHA256
78bb97a75191e48a8ecfdd4f7c36c71bdf1779242fe5bee69d9eb364d368397f

SHA512
02809c7145ec3078392766b30356ae81303bc2a8e0ecbec7cd43ef575f9917cd0f59eed3356b8289aa1390592304e9710e7277c035f33900ba75e4b6813d00f4

Download Submit
C:\Users\Public\Desktop\powerOff.lnk

Filesize
1KB

MD5
f908b173ca3488e95ac5b086d0268ca9

SHA1
e9aa7b36f8bdc9d65b7285eaa4259b180ed9d4e6

SHA256
11a88a841c3c641edcda747834ede400518604cccfa3f2a6dca2954f20db3713

SHA512
72f1f094d3ce0678e807d533c2d7b54e03f89690bfcb420bf21dcf9d973dc2070d2e9a0c7e1fdde285ff85d45103e1f847562616083478352e1548f6fd88dd68

Download Submit
\??\c:\users\admin\appdata\local\temp\is-ja11e.tmp\62a80ed7c3158_e3388f.tmp

Filesize
1.0MB

MD5
a5ea5f8ae934ab6efe216fc1e4d1b6dc

SHA1
cb52a9e2aa2aa0e6e82fa44879055003a91207d7

SHA256
be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e

SHA512
f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c

Download Submit
memory/208-174-0x0000000000000000-mapping.dmp

Download
memory/460-254-0x0000000000000000-mapping.dmp

Download
memory/548-270-0x0000000000000000-mapping.dmp

Download
memory/736-245-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/736-228-0x0000000000000000-mapping.dmp

Download
memory/736-230-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/808-349-0x0000000000000000-mapping.dmp

Download
memory/1096-279-0x0000000000400000-0x0000000000B4A000-memory.dmp

Filesize
7.3MB

Download
memory/1096-237-0x0000000000400000-0x0000000000B4A000-memory.dmp

Filesize
7.3MB

Download
memory/1096-273-0x0000000000D13000-0x0000000000D39000-memory.dmp

Filesize
152KB

Download
memory/1096-157-0x0000000000000000-mapping.dmp

Download
memory/1096-227-0x00000000026A0000-0x00000000026DF000-memory.dmp

Filesize
252KB

Download
memory/1096-224-0x0000000000D13000-0x0000000000D39000-memory.dmp

Filesize
152KB

Download
memory/1244-188-0x0000000000000000-mapping.dmp

Download
memory/1244-264-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1244-194-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1244-307-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1244-198-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1304-358-0x0000000000000000-mapping.dmp

Download
memory/1332-168-0x0000000000000000-mapping.dmp

Download
memory/1388-234-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1388-238-0x0000000000F02000-0x0000000000F12000-memory.dmp

Filesize
64KB

Download
memory/1388-226-0x0000000000F02000-0x0000000000F12000-memory.dmp

Filesize
64KB

Download
memory/1388-187-0x0000000000000000-mapping.dmp

Download
memory/1404-353-0x0000000000000000-mapping.dmp

Download
memory/1532-155-0x0000000000000000-mapping.dmp

Download
memory/1540-138-0x0000000000000000-mapping.dmp

Download
memory/1568-178-0x0000000000000000-mapping.dmp

Download
memory/1616-262-0x0000000000000000-mapping.dmp

Download
memory/1656-286-0x00007FFE0F0B0000-0x00007FFE0FB71000-memory.dmp

Filesize
10.8MB

Download
memory/1656-250-0x000002B16C350000-0x000002B16C3A0000-memory.dmp

Filesize
320KB

Download
memory/1656-253-0x00007FFE0F0B0000-0x00007FFE0FB71000-memory.dmp

Filesize
10.8MB

Download
memory/1656-244-0x0000000000000000-mapping.dmp

Download
memory/1656-316-0x00007FFE0F0B0000-0x00007FFE0FB71000-memory.dmp

Filesize
10.8MB

Download
memory/1656-248-0x000002B16A630000-0x000002B16A67A000-memory.dmp

Filesize
296KB

Download
memory/1764-164-0x0000000000000000-mapping.dmp

Download
memory/1776-184-0x0000000000000000-mapping.dmp

Download
memory/1776-200-0x0000000140000000-0x000000014067E000-memory.dmp

Filesize
6.5MB

Download
memory/1844-348-0x0000000000000000-mapping.dmp

Download
memory/2100-314-0x0000000000000000-mapping.dmp

Download
memory/2200-231-0x0000000000000000-mapping.dmp

Download
memory/2200-249-0x00007FFE059E0000-0x00007FFE06416000-memory.dmp

Filesize
10.2MB

Download
memory/2216-211-0x0000000000C00000-0x0000000000C09000-memory.dmp

Filesize
36KB

Download
memory/2216-201-0x0000000000000000-mapping.dmp

Download
memory/2216-212-0x0000000000C20000-0x0000000000C2E000-memory.dmp

Filesize
56KB

Download
memory/2292-204-0x0000000000000000-mapping.dmp

Download
memory/2364-293-0x0000000000000000-mapping.dmp

Download
memory/2364-302-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2364-296-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2376-361-0x0000000000000000-mapping.dmp

Download
memory/2376-221-0x0000000000000000-mapping.dmp

Download
memory/2408-356-0x0000000000000000-mapping.dmp

Download
memory/2444-135-0x0000000000000000-mapping.dmp

Download
memory/2464-281-0x0000000000000000-mapping.dmp

Download
memory/2464-287-0x00007FFE059E0000-0x00007FFE06416000-memory.dmp

Filesize
10.2MB

Download
memory/2496-335-0x0000000000000000-mapping.dmp

Download
memory/2500-334-0x0000000000000000-mapping.dmp

Download
memory/2548-354-0x0000000000000000-mapping.dmp

Download
memory/2728-367-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-359-0x0000000000000000-mapping.dmp

Download
memory/2920-205-0x0000000000000000-mapping.dmp

Download
memory/2976-167-0x0000000000000000-mapping.dmp

Download
memory/3028-130-0x0000000000000000-mapping.dmp

Download
memory/3028-165-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3028-183-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3176-311-0x0000000000000000-mapping.dmp

Download
memory/3176-315-0x00007FFE059E0000-0x00007FFE06416000-memory.dmp

Filesize
10.2MB

Download
memory/3312-341-0x0000000000000000-mapping.dmp

Download
memory/3420-350-0x0000000000000000-mapping.dmp

Download
memory/3508-142-0x0000000000000000-mapping.dmp

Download
memory/3580-161-0x0000000000000000-mapping.dmp

Download
memory/3732-170-0x0000000000000000-mapping.dmp

Download
memory/3768-344-0x0000000000000000-mapping.dmp

Download
memory/3916-390-0x0000000140000000-0x0000000140679000-memory.dmp

Filesize
6.5MB

Download
memory/4020-288-0x0000000000000000-mapping.dmp

Download
memory/4020-301-0x00007FFE059E0000-0x00007FFE06416000-memory.dmp

Filesize
10.2MB

Download
memory/4044-203-0x0000000000D30000-0x0000000001755000-memory.dmp

Filesize
10.1MB

Download
memory/4044-325-0x0000000076F10000-0x00000000770B3000-memory.dmp

Filesize
1.6MB

Download
memory/4044-256-0x0000000000D30000-0x0000000001755000-memory.dmp

Filesize
10.1MB

Download
memory/4044-326-0x0000000000D30000-0x0000000001755000-memory.dmp

Filesize
10.1MB

Download
memory/4044-191-0x0000000000D30000-0x0000000001755000-memory.dmp

Filesize
10.1MB

Download
memory/4044-324-0x0000000000D30000-0x0000000001755000-memory.dmp

Filesize
10.1MB

Download
memory/4044-175-0x0000000000000000-mapping.dmp

Download
memory/4044-327-0x0000000000D30000-0x0000000001755000-memory.dmp

Filesize
10.1MB

Download
memory/4076-280-0x0000000000000000-mapping.dmp

Download
memory/4144-303-0x0000000000000000-mapping.dmp

Download
memory/4196-225-0x0000000000DA2000-0x0000000000DB2000-memory.dmp

Filesize
64KB

Download
memory/4196-229-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4196-152-0x0000000000000000-mapping.dmp

Download
memory/4196-257-0x0000000000DA2000-0x0000000000DB2000-memory.dmp

Filesize
64KB

Download
memory/4196-255-0x0000000000400000-0x0000000000B34000-memory.dmp

Filesize
7.2MB

Download
memory/4196-252-0x0000000000400000-0x0000000000B34000-memory.dmp

Filesize
7.2MB

Download
memory/4220-146-0x0000000000000000-mapping.dmp

Download
memory/4236-317-0x0000000000000000-mapping.dmp

Download
memory/4236-338-0x000000002D540000-0x000000002D5E7000-memory.dmp

Filesize
668KB

Download
memory/4236-337-0x000000002D470000-0x000000002D52D000-memory.dmp

Filesize
756KB

Download
memory/4236-322-0x0000000002590000-0x0000000003590000-memory.dmp

Filesize
16.0MB

Download
memory/4272-269-0x0000000000000000-mapping.dmp

Download
memory/4300-182-0x0000000005A30000-0x0000000006058000-memory.dmp

Filesize
6.2MB

Download
memory/4300-150-0x0000000000000000-mapping.dmp

Download
memory/4300-223-0x0000000006450000-0x00000000064B6000-memory.dmp

Filesize
408KB

Download
memory/4300-222-0x00000000063E0000-0x0000000006446000-memory.dmp

Filesize
408KB

Download
memory/4300-220-0x00000000063B0000-0x00000000063D2000-memory.dmp

Filesize
136KB

Download
memory/4300-251-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/4300-272-0x0000000006EB0000-0x0000000006EE2000-memory.dmp

Filesize
200KB

Download
memory/4300-329-0x0000000007E80000-0x0000000007E88000-memory.dmp

Filesize
32KB

Download
memory/4300-328-0x0000000007E90000-0x0000000007EAA000-memory.dmp

Filesize
104KB

Download
memory/4300-292-0x0000000007EB0000-0x0000000007F46000-memory.dmp

Filesize
600KB

Download
memory/4300-172-0x0000000003320000-0x0000000003356000-memory.dmp

Filesize
216KB

Download
memory/4300-274-0x000000006C7E0000-0x000000006C82C000-memory.dmp

Filesize
304KB

Download
memory/4300-282-0x0000000006F10000-0x0000000006F1A000-memory.dmp

Filesize
40KB

Download
memory/4300-275-0x0000000006E70000-0x0000000006E8E000-memory.dmp

Filesize
120KB

Download
memory/4300-323-0x0000000007E30000-0x0000000007E3E000-memory.dmp

Filesize
56KB

Download
memory/4300-278-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/4300-277-0x0000000008350000-0x00000000089CA000-memory.dmp

Filesize
6.5MB

Download
memory/4304-171-0x0000000000CF0000-0x0000000000D32000-memory.dmp

Filesize
264KB

Download
memory/4304-266-0x0000000006500000-0x0000000006592000-memory.dmp

Filesize
584KB

Download
memory/4304-189-0x0000000005560000-0x0000000005572000-memory.dmp

Filesize
72KB

Download
memory/4304-186-0x0000000005B40000-0x0000000006158000-memory.dmp

Filesize
6.1MB

Download
memory/4304-261-0x00000000063E0000-0x0000000006456000-memory.dmp

Filesize
472KB

Download
memory/4304-190-0x0000000005690000-0x000000000579A000-memory.dmp

Filesize
1.0MB

Download
memory/4304-197-0x00000000055C0000-0x00000000055FC000-memory.dmp

Filesize
240KB

Download
memory/4304-148-0x0000000000000000-mapping.dmp

Download
memory/4304-294-0x0000000007E80000-0x0000000008042000-memory.dmp

Filesize
1.8MB

Download
memory/4304-297-0x0000000008580000-0x0000000008AAC000-memory.dmp

Filesize
5.2MB

Download
memory/4304-267-0x0000000006B50000-0x00000000070F4000-memory.dmp

Filesize
5.6MB

Download
memory/4304-271-0x00000000069A0000-0x00000000069F0000-memory.dmp

Filesize
320KB

Download
memory/4304-268-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/4308-243-0x00007FFE0F0B0000-0x00007FFE0FB71000-memory.dmp

Filesize
10.8MB

Download
memory/4308-162-0x0000000000BA0000-0x0000000000BD0000-memory.dmp

Filesize
192KB

Download
memory/4308-179-0x00007FFE0F0B0000-0x00007FFE0FB71000-memory.dmp

Filesize
10.8MB

Download
memory/4308-147-0x0000000000000000-mapping.dmp

Download
memory/4308-276-0x00007FFE0F0B0000-0x00007FFE0FB71000-memory.dmp

Filesize
10.8MB

Download
memory/4312-365-0x0000000000000000-mapping.dmp

Download
memory/4336-144-0x0000000000000000-mapping.dmp

Download
memory/4416-151-0x0000000000000000-mapping.dmp

Download
memory/4544-374-0x0000000003900000-0x000000000390F000-memory.dmp

Filesize
60KB

Download
memory/4544-371-0x0000000003290000-0x0000000003570000-memory.dmp

Filesize
2.9MB

Download
memory/4544-375-0x0000000003AA0000-0x0000000003AB5000-memory.dmp

Filesize
84KB

Download
memory/4560-140-0x0000000000000000-mapping.dmp

Download
memory/4572-366-0x0000000000000000-mapping.dmp

Download
memory/4668-336-0x0000000000000000-mapping.dmp

Download
memory/4724-216-0x0000000000000000-mapping.dmp

Download
memory/4732-136-0x0000000000000000-mapping.dmp

Download
memory/4736-233-0x0000000000000000-mapping.dmp

Download
memory/4736-300-0x000000002DD30000-0x000000002DDED000-memory.dmp

Filesize
756KB

Download
memory/4736-308-0x000000002DDF0000-0x000000002DE97000-memory.dmp

Filesize
668KB

Download
memory/4736-258-0x000000002DAC0000-0x000000002DB83000-memory.dmp

Filesize
780KB

Download
memory/4736-259-0x000000002DC60000-0x000000002DD23000-memory.dmp

Filesize
780KB

Download
memory/4736-242-0x0000000002EB0000-0x0000000003EB0000-memory.dmp

Filesize
16.0MB

Download
memory/4980-196-0x0000000000000000-mapping.dmp

Download