a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe
Size

287KB
MD5

fd1494f5e8ef0f8e62f3102edce4a4ce
SHA1

e30f399c9ab7ff896060b2dcbfe7ef429c0af840
SHA256

a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4
SHA512

afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa
SSDEEP

6144:FvUGjA60ZiUr+Nh6EZzjKrog64nS4jVafZTbQyhQ:FvUI0USjjvWTbQuQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1492	api-ms-win-core-processenvironment-l1-1-0.exe
1200	adsmsext.exe
1516	api-ms-win-core-delayload-l1-1-0.exe
1932	advapi32.exe
1352	api-ms-win-service-winsvc-l1-1-0.exe
1676	api-ms-win-core-processthreads-l1-1-0.exe
2012	api-ms-win-core-interlocked-l1-1-0.exe
2008	adprovider.exe
1116	amxread.exe
1756	api-ms-win-crt-conio-l1-1-0.exe
1896	api-ms-win-core-console-l1-1-0.exe
1708	api-ms-win-core-processthreads-l1-1-1.exe
1616	adtschema.exe
1728	adsnt.exe
428	ActionCenterCPL.exe
2020	ACCTRES.exe
1704	api-ms-win-eventing-provider-l1-1-0.exe
1648	api-ms-win-core-memory-l1-1-0.exe
1820	ActionCenterCPL.exe
1940	acledit.exe
1932	api-ms-win-crt-math-l1-1-0.exe
1396	acppage.exe
948	ActionCenter.exe
888	api-ms-win-core-synch-l1-2-0.exe
1952	aclui.exe
1776	accessibilitycpl.exe
1376	aeevts.exe
1648	api-ms-win-core-misc-l1-1-0.exe
432	aaclient.exe
1820	advpack.exe
1044	adsldpc.exe
1320	aecache.exe
1140	adsmsext.exe
1196	api-ms-win-core-synch-l1-2-0.exe
556	adsmsext.exe
1844	api-ms-win-crt-convert-l1-1-0.exe
1344	api-ms-win-core-rtlsupport-l1-1-0.exe
1608	aaclient.exe
1032	aclui.exe
1180	adsmsext.exe
608	api-ms-win-core-io-l1-1-0.exe
1200	api-ms-win-core-synch-l1-1-0.exe
2008	api-ms-win-downlevel-shlwapi-l1-1-0.exe
1544	aclui.exe
1732	api-ms-win-core-localregistry-l1-1-0.exe
1356	api-ms-win-core-xstate-l1-1-0.exe
540	api-ms-win-core-datetime-l1-1-0.exe
1220	ACCTRES.exe
1788	api-ms-win-core-localization-l1-2-0.exe
1488	aclui.exe
1296	api-ms-win-core-heap-l1-1-0.exe
756	aaclient.exe
1704	activeds.exe
1008	aaclient.exe
1928	AltTab.exe
1832	adprovider.exe
1660	adsldp.exe
1608	AdmTmpl.exe
2040	accessibilitycpl.exe
1760	capisp.exe
1820	AdmTmpl.exe
2020	ACCTRES.exe
1196	aclui.exe
556	api-ms-win-crt-process-l1-1-0.exe

Deletes itself 1 IoCs

pid	Process
1492	api-ms-win-core-processenvironment-l1-1-0.exe

Loads dropped DLL 64 IoCs

pid	Process
1504	a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe
1504	a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe
1492	api-ms-win-core-processenvironment-l1-1-0.exe
1492	api-ms-win-core-processenvironment-l1-1-0.exe
1200	adsmsext.exe
1200	adsmsext.exe
1516	api-ms-win-core-delayload-l1-1-0.exe
1516	api-ms-win-core-delayload-l1-1-0.exe
1932	advapi32.exe
1932	advapi32.exe
1352	api-ms-win-service-winsvc-l1-1-0.exe
1352	api-ms-win-service-winsvc-l1-1-0.exe
1676	api-ms-win-core-processthreads-l1-1-0.exe
1676	api-ms-win-core-processthreads-l1-1-0.exe
2012	api-ms-win-core-interlocked-l1-1-0.exe
2012	api-ms-win-core-interlocked-l1-1-0.exe
2008	adprovider.exe
2008	adprovider.exe
1116	amxread.exe
1116	amxread.exe
1756	api-ms-win-crt-conio-l1-1-0.exe
1756	api-ms-win-crt-conio-l1-1-0.exe
1896	api-ms-win-core-console-l1-1-0.exe
1896	api-ms-win-core-console-l1-1-0.exe
1708	api-ms-win-core-processthreads-l1-1-1.exe
1708	api-ms-win-core-processthreads-l1-1-1.exe
1616	adtschema.exe
1616	adtschema.exe
1728	adsnt.exe
1728	adsnt.exe
428	ActionCenterCPL.exe
428	ActionCenterCPL.exe
2020	ACCTRES.exe
2020	ACCTRES.exe
1704	api-ms-win-eventing-provider-l1-1-0.exe
1704	api-ms-win-eventing-provider-l1-1-0.exe
1648	api-ms-win-core-memory-l1-1-0.exe
1648	api-ms-win-core-memory-l1-1-0.exe
1820	ActionCenterCPL.exe
1820	ActionCenterCPL.exe
1940	acledit.exe
1940	acledit.exe
1932	api-ms-win-crt-math-l1-1-0.exe
1932	api-ms-win-crt-math-l1-1-0.exe
1396	acppage.exe
1396	acppage.exe
948	ActionCenter.exe
948	ActionCenter.exe
888	api-ms-win-core-synch-l1-2-0.exe
888	api-ms-win-core-synch-l1-2-0.exe
1952	aclui.exe
1952	aclui.exe
1776	accessibilitycpl.exe
1776	accessibilitycpl.exe
1376	aeevts.exe
1376	aeevts.exe
1648	api-ms-win-core-misc-l1-1-0.exe
1648	api-ms-win-core-misc-l1-1-0.exe
432	aaclient.exe
432	aaclient.exe
1820	advpack.exe
1820	advpack.exe
1044	adsldpc.exe
1044	adsldpc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ACCTRES.nls	ACCTRES.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe	AuthFWGP.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.nls	api-ms-win-crt-runtime-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.nls	api-ms-win-core-file-l1-2-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-service-core-l1-1-0.exe	api-ms-win-crt-utility-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0.nls	api-ms-win-service-management-l2-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.nls	api-ms-win-core-rtlsupport-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.nls	api-ms-win-crt-heap-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.exe	aecache.exe
File created	C:\Windows\SysWOW64\amstream.exe	appmgmts.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.nls	api-ms-win-crt-locale-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-security-lsalookup-l1-1-0.nls	api-ms-win-security-lsalookup-l1-1-0.exe
File created	C:\Windows\SysWOW64\aecache.exe	adsldpc.exe
File created	C:\Windows\SysWOW64\ACCTRES.nls	ACCTRES.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe	api-ms-win-core-file-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.nls	api-ms-win-crt-locale-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-security-lsalookup-l1-1-0.nls	api-ms-win-security-lsalookup-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.exe	api-ms-win-crt-environment-l1-1-0.exe
File created	C:\Windows\SysWOW64\adsldp.nls	adsldp.exe
File opened for modification	C:\Windows\SysWOW64\ACCTRES.nls	ACCTRES.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.nls	api-ms-win-core-datetime-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-security-lsalookup-l1-1-0.exe	apds.exe
File created	C:\Windows\SysWOW64\aaclient.exe	api-ms-win-core-rtlsupport-l1-1-0.exe
File created	C:\Windows\SysWOW64\activeds.exe	ACCTRES.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe	api-ms-win-core-rtlsupport-l1-1-0.exe
File created	C:\Windows\SysWOW64\autoplay.nls	autoplay.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.nls	api-ms-win-core-string-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe	api-ms-win-core-console-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\aclui.nls	aclui.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.nls	api-ms-win-core-threadpool-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.nls	api-ms-win-crt-process-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe	apds.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.nls	api-ms-win-crt-utility-l1-1-0.exe
File created	C:\Windows\SysWOW64\ActionCenter.nls	ActionCenter.exe
File created	C:\Windows\SysWOW64\AltTab.exe	api-ms-win-core-heap-l1-1-0.exe
File created	C:\Windows\SysWOW64\amstream.nls	amstream.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.nls	api-ms-win-core-localization-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\acledit.nls	acledit.exe
File created	C:\Windows\SysWOW64\amstream.nls	amstream.exe
File created	C:\Windows\SysWOW64\apilogen.exe	api-ms-win-core-xstate-l2-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.exe	api-ms-win-core-file-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\AudioEng.nls	AudioEng.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	ACCTRES.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.nls	api-ms-win-core-errorhandling-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.nls	api-ms-win-core-localization-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.nls	api-ms-win-core-string-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe	api-ms-win-eventing-provider-l1-1-0.exe
File created	C:\Windows\SysWOW64\acledit.nls	acledit.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.nls	api-ms-win-core-handle-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\ActionCenter.nls	ActionCenter.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.nls	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\amstream.exe	api-ms-win-core-localization-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.nls	api-ms-win-core-timezone-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\apds.nls	apds.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe	amstream.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.nls	api-ms-win-core-util-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\apilogen.nls	apilogen.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.nls	api-ms-win-crt-convert-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.exe	AudioEng.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.nls	api-ms-win-core-xstate-l2-1-0.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.nls	advapi32.exe
File opened for modification	C:\Windows\SysWOW64\adprovider.nls	adprovider.exe
File opened for modification	C:\Windows\SysWOW64\aeevts.nls	aeevts.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.nls	api-ms-win-core-sysinfo-l1-1-0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe
Token: SeDebugPrivilege	1492	api-ms-win-core-processenvironment-l1-1-0.exe
Token: SeDebugPrivilege	1200	adsmsext.exe
Token: SeDebugPrivilege	1516	api-ms-win-core-delayload-l1-1-0.exe
Token: SeDebugPrivilege	1932	advapi32.exe
Token: SeDebugPrivilege	1352	api-ms-win-service-winsvc-l1-1-0.exe
Token: SeDebugPrivilege	1676	api-ms-win-core-processthreads-l1-1-0.exe
Token: SeDebugPrivilege	2012	api-ms-win-core-interlocked-l1-1-0.exe
Token: SeDebugPrivilege	2008	adprovider.exe
Token: SeDebugPrivilege	1116	amxread.exe
Token: SeDebugPrivilege	1756	api-ms-win-crt-conio-l1-1-0.exe
Token: SeDebugPrivilege	1896	api-ms-win-core-console-l1-1-0.exe
Token: SeDebugPrivilege	1708	api-ms-win-core-processthreads-l1-1-1.exe
Token: SeDebugPrivilege	1616	adtschema.exe
Token: SeDebugPrivilege	1728	adsnt.exe
Token: SeDebugPrivilege	428	ActionCenterCPL.exe
Token: SeDebugPrivilege	2020	ACCTRES.exe
Token: SeDebugPrivilege	1704	api-ms-win-eventing-provider-l1-1-0.exe
Token: SeDebugPrivilege	1648	api-ms-win-core-memory-l1-1-0.exe
Token: SeDebugPrivilege	1820	ActionCenterCPL.exe
Token: SeDebugPrivilege	1940	acledit.exe
Token: SeDebugPrivilege	1932	api-ms-win-crt-math-l1-1-0.exe
Token: SeDebugPrivilege	1396	acppage.exe
Token: SeDebugPrivilege	948	ActionCenter.exe
Token: SeDebugPrivilege	888	api-ms-win-core-synch-l1-2-0.exe
Token: SeDebugPrivilege	1952	aclui.exe
Token: SeDebugPrivilege	1776	accessibilitycpl.exe
Token: SeDebugPrivilege	1376	aeevts.exe
Token: SeDebugPrivilege	1648	api-ms-win-core-misc-l1-1-0.exe
Token: SeDebugPrivilege	432	aaclient.exe
Token: SeDebugPrivilege	1820	advpack.exe
Token: SeDebugPrivilege	1044	adsldpc.exe
Token: SeDebugPrivilege	1320	aecache.exe
Token: SeDebugPrivilege	1140	adsmsext.exe
Token: SeDebugPrivilege	1196	api-ms-win-core-synch-l1-2-0.exe
Token: SeDebugPrivilege	556	adsmsext.exe
Token: SeDebugPrivilege	1844	api-ms-win-crt-convert-l1-1-0.exe
Token: SeDebugPrivilege	1344	api-ms-win-core-rtlsupport-l1-1-0.exe
Token: SeDebugPrivilege	1608	aaclient.exe
Token: SeDebugPrivilege	1032	aclui.exe
Token: SeDebugPrivilege	1180	adsmsext.exe
Token: SeDebugPrivilege	608	api-ms-win-core-io-l1-1-0.exe
Token: SeDebugPrivilege	1200	api-ms-win-core-synch-l1-1-0.exe
Token: SeDebugPrivilege	2008	api-ms-win-downlevel-shlwapi-l1-1-0.exe
Token: SeDebugPrivilege	1544	aclui.exe
Token: SeDebugPrivilege	1732	api-ms-win-core-localregistry-l1-1-0.exe
Token: SeDebugPrivilege	1356	api-ms-win-core-xstate-l1-1-0.exe
Token: SeDebugPrivilege	540	api-ms-win-core-datetime-l1-1-0.exe
Token: SeDebugPrivilege	1220	ACCTRES.exe
Token: SeDebugPrivilege	1788	api-ms-win-core-localization-l1-2-0.exe
Token: SeDebugPrivilege	1488	aclui.exe
Token: SeDebugPrivilege	1296	api-ms-win-core-heap-l1-1-0.exe
Token: SeDebugPrivilege	756	aaclient.exe
Token: SeDebugPrivilege	1704	activeds.exe
Token: SeDebugPrivilege	1008	aaclient.exe
Token: SeDebugPrivilege	1928	AltTab.exe
Token: SeDebugPrivilege	1832	adprovider.exe
Token: SeDebugPrivilege	1660	adsldp.exe
Token: SeDebugPrivilege	1608	AdmTmpl.exe
Token: SeDebugPrivilege	2040	accessibilitycpl.exe
Token: SeDebugPrivilege	1760	capisp.exe
Token: SeDebugPrivilege	1820	AdmTmpl.exe
Token: SeDebugPrivilege	2020	ACCTRES.exe
Token: SeDebugPrivilege	1196	aclui.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1492	1504	a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe	27
PID 1504 wrote to memory of 1492	1504	a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe	27
PID 1504 wrote to memory of 1492	1504	a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe	27
PID 1504 wrote to memory of 1492	1504	a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe	27
PID 1492 wrote to memory of 1200	1492	api-ms-win-core-processenvironment-l1-1-0.exe	28
PID 1492 wrote to memory of 1200	1492	api-ms-win-core-processenvironment-l1-1-0.exe	28
PID 1492 wrote to memory of 1200	1492	api-ms-win-core-processenvironment-l1-1-0.exe	28
PID 1492 wrote to memory of 1200	1492	api-ms-win-core-processenvironment-l1-1-0.exe	28
PID 1200 wrote to memory of 1516	1200	adsmsext.exe	29
PID 1200 wrote to memory of 1516	1200	adsmsext.exe	29
PID 1200 wrote to memory of 1516	1200	adsmsext.exe	29
PID 1200 wrote to memory of 1516	1200	adsmsext.exe	29
PID 1516 wrote to memory of 1932	1516	api-ms-win-core-delayload-l1-1-0.exe	30
PID 1516 wrote to memory of 1932	1516	api-ms-win-core-delayload-l1-1-0.exe	30
PID 1516 wrote to memory of 1932	1516	api-ms-win-core-delayload-l1-1-0.exe	30
PID 1516 wrote to memory of 1932	1516	api-ms-win-core-delayload-l1-1-0.exe	30
PID 1932 wrote to memory of 1352	1932	advapi32.exe	31
PID 1932 wrote to memory of 1352	1932	advapi32.exe	31
PID 1932 wrote to memory of 1352	1932	advapi32.exe	31
PID 1932 wrote to memory of 1352	1932	advapi32.exe	31
PID 1352 wrote to memory of 1676	1352	api-ms-win-service-winsvc-l1-1-0.exe	32
PID 1352 wrote to memory of 1676	1352	api-ms-win-service-winsvc-l1-1-0.exe	32
PID 1352 wrote to memory of 1676	1352	api-ms-win-service-winsvc-l1-1-0.exe	32
PID 1352 wrote to memory of 1676	1352	api-ms-win-service-winsvc-l1-1-0.exe	32
PID 1676 wrote to memory of 2012	1676	api-ms-win-core-processthreads-l1-1-0.exe	33
PID 1676 wrote to memory of 2012	1676	api-ms-win-core-processthreads-l1-1-0.exe	33
PID 1676 wrote to memory of 2012	1676	api-ms-win-core-processthreads-l1-1-0.exe	33
PID 1676 wrote to memory of 2012	1676	api-ms-win-core-processthreads-l1-1-0.exe	33
PID 2012 wrote to memory of 2008	2012	api-ms-win-core-interlocked-l1-1-0.exe	34
PID 2012 wrote to memory of 2008	2012	api-ms-win-core-interlocked-l1-1-0.exe	34
PID 2012 wrote to memory of 2008	2012	api-ms-win-core-interlocked-l1-1-0.exe	34
PID 2012 wrote to memory of 2008	2012	api-ms-win-core-interlocked-l1-1-0.exe	34
PID 2008 wrote to memory of 1116	2008	adprovider.exe	35
PID 2008 wrote to memory of 1116	2008	adprovider.exe	35
PID 2008 wrote to memory of 1116	2008	adprovider.exe	35
PID 2008 wrote to memory of 1116	2008	adprovider.exe	35
PID 1116 wrote to memory of 1756	1116	amxread.exe	36
PID 1116 wrote to memory of 1756	1116	amxread.exe	36
PID 1116 wrote to memory of 1756	1116	amxread.exe	36
PID 1116 wrote to memory of 1756	1116	amxread.exe	36
PID 1756 wrote to memory of 1896	1756	api-ms-win-crt-conio-l1-1-0.exe	37
PID 1756 wrote to memory of 1896	1756	api-ms-win-crt-conio-l1-1-0.exe	37
PID 1756 wrote to memory of 1896	1756	api-ms-win-crt-conio-l1-1-0.exe	37
PID 1756 wrote to memory of 1896	1756	api-ms-win-crt-conio-l1-1-0.exe	37
PID 1896 wrote to memory of 1708	1896	api-ms-win-core-console-l1-1-0.exe	38
PID 1896 wrote to memory of 1708	1896	api-ms-win-core-console-l1-1-0.exe	38
PID 1896 wrote to memory of 1708	1896	api-ms-win-core-console-l1-1-0.exe	38
PID 1896 wrote to memory of 1708	1896	api-ms-win-core-console-l1-1-0.exe	38
PID 1708 wrote to memory of 1616	1708	api-ms-win-core-processthreads-l1-1-1.exe	39
PID 1708 wrote to memory of 1616	1708	api-ms-win-core-processthreads-l1-1-1.exe	39
PID 1708 wrote to memory of 1616	1708	api-ms-win-core-processthreads-l1-1-1.exe	39
PID 1708 wrote to memory of 1616	1708	api-ms-win-core-processthreads-l1-1-1.exe	39
PID 1616 wrote to memory of 1728	1616	adtschema.exe	40
PID 1616 wrote to memory of 1728	1616	adtschema.exe	40
PID 1616 wrote to memory of 1728	1616	adtschema.exe	40
PID 1616 wrote to memory of 1728	1616	adtschema.exe	40
PID 1728 wrote to memory of 428	1728	adsnt.exe	41
PID 1728 wrote to memory of 428	1728	adsnt.exe	41
PID 1728 wrote to memory of 428	1728	adsnt.exe	41
PID 1728 wrote to memory of 428	1728	adsnt.exe	41
PID 428 wrote to memory of 2020	428	ActionCenterCPL.exe	42
PID 428 wrote to memory of 2020	428	ActionCenterCPL.exe	42
PID 428 wrote to memory of 2020	428	ActionCenterCPL.exe	42
PID 428 wrote to memory of 2020	428	ActionCenterCPL.exe	42

C:\Users\Admin\AppData\Local\Temp\a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe
"C:\Users\Admin\AppData\Local\Temp\a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe
  C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.exe -m1504:C:\Users\Admin\AppData\Local\Temp\a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.exe -sC:\Windows\system32
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\adsmsext.exe
    C:\Windows\system32\adsmsext.exe -m1492:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe
      C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.exe -m1200:C:\Windows\SysWOW64\adsmsext.exe -sC:\Windows\system32
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\advapi32.exe
        
        C:\Windows\system32\advapi32.exe -m1516:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\SysWOW64\api-ms-win-service-winsvc-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-service-winsvc-l1-1-0.exe -m1932:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.exe -m1352:C:\Windows\SysWOW64\api-ms-win-service-winsvc-l1-1-0.exe -sC:\Windows\system32
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.exe -m1676:C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe -sC:\Windows\system32
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\adprovider.exe
        
        C:\Windows\system32\adprovider.exe -m2012:C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.exe -sC:\Windows\system32
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\amxread.exe
        
        C:\Windows\system32\amxread.exe -m2008:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.exe -m1116:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-console-l1-1-0.exe -m1756:C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.exe -sC:\Windows\system32
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe
        
        C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.exe -m1896:C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.exe -sC:\Windows\system32
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\adtschema.exe
        
        C:\Windows\system32\adtschema.exe -m1708:C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe -sC:\Windows\system32
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\adsnt.exe
        
        C:\Windows\system32\adsnt.exe -m1616:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        C:\Windows\system32\ActionCenterCPL.exe -m1728:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m428:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\SysWOW64\api-ms-win-eventing-provider-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-eventing-provider-l1-1-0.exe -m2020:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-memory-l1-1-0.exe -m1704:C:\Windows\SysWOW64\api-ms-win-eventing-provider-l1-1-0.exe -sC:\Windows\system32
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        C:\Windows\system32\ActionCenterCPL.exe -m1648:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m1820:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-math-l1-1-0.exe -m1940:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\acppage.exe
        
        C:\Windows\system32\acppage.exe -m1932:C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.exe -sC:\Windows\system32
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\SysWOW64\ActionCenter.exe
        
        C:\Windows\system32\ActionCenter.exe -m1396:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-synch-l1-2-0.exe -m948:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m888:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.exe -sC:\Windows\system32
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m1952:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\SysWOW64\aeevts.exe
        
        C:\Windows\system32\aeevts.exe -m1776:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-misc-l1-1-0.exe -m1376:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m1648:C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.exe -sC:\Windows\system32
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
        
        C:\Windows\SysWOW64\advpack.exe
        
        C:\Windows\system32\advpack.exe -m432:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\SysWOW64\adsldpc.exe
        
        C:\Windows\system32\adsldpc.exe -m1820:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\SysWOW64\aecache.exe
        
        C:\Windows\system32\aecache.exe -m1044:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\SysWOW64\adsmsext.exe
        
        C:\Windows\system32\adsmsext.exe -m1320:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-synch-l1-2-0.exe -m1140:C:\Windows\SysWOW64\adsmsext.exe -sC:\Windows\system32
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\SysWOW64\adsmsext.exe
        
        C:\Windows\system32\adsmsext.exe -m1196:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.exe -sC:\Windows\system32
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.exe -m556:C:\Windows\SysWOW64\adsmsext.exe -sC:\Windows\system32
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.exe -m1844:C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.exe -sC:\Windows\system32
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m1344:C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe -sC:\Windows\system32
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m1608:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\SysWOW64\adsmsext.exe
        
        C:\Windows\system32\adsmsext.exe -m1032:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-io-l1-1-0.exe -m1180:C:\Windows\SysWOW64\adsmsext.exe -sC:\Windows\system32
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-synch-l1-1-0.exe -m608:C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.exe -sC:\Windows\system32
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.exe -m1200:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m2008:C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.exe -sC:\Windows\system32
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.exe -m1544:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.exe -m1732:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m1356:C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.exe -sC:\Windows\system32
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m540:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-localization-l1-2-0.exe -m1220:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m1788:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-heap-l1-1-0.exe -m1488:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m1296:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m756:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m1704:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\SysWOW64\AltTab.exe
        
        C:\Windows\system32\AltTab.exe -m1008:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\SysWOW64\adprovider.exe
        
        C:\Windows\system32\adprovider.exe -m1928:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\SysWOW64\adsldp.exe
        
        C:\Windows\system32\adsldp.exe -m1832:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\SysWOW64\AdmTmpl.exe
        
        C:\Windows\system32\AdmTmpl.exe -m1660:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m1608:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SysWOW64\capisp.exe
        
        C:\Windows\system32\capisp.exe -m2040:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SysWOW64\AdmTmpl.exe
        
        C:\Windows\system32\AdmTmpl.exe -m1760:C:\Windows\SysWOW64\capisp.exe -sC:\Windows\system32
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m1820:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m2020:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-process-l1-1-0.exe -m1196:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        65⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m556:C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.exe -sC:\Windows\system32
        66⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.exe -m1844:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        67⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\AltTab.exe
        
        C:\Windows\system32\AltTab.exe -m1112:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32
        68⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m1932:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32
        69⤵
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\actxprxy.exe
        
        C:\Windows\system32\actxprxy.exe -m1032:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        70⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m1728:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32
        71⤵
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m880:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        72⤵
        
        PID:620
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m620:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        73⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-synch-l1-1-0.exe -m1576:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32
        74⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.exe -m1952:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32
        75⤵
        
        PID:768
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m768:C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.exe -sC:\Windows\system32
        76⤵
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.exe -m848:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        77⤵
        
        PID:516
        
        C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.exe -m516:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32
        78⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m1924:C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe -sC:\Windows\system32
        79⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\bitsperf.exe
        
        C:\Windows\system32\bitsperf.exe -m1896:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        80⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m1828:C:\Windows\SysWOW64\bitsperf.exe -sC:\Windows\system32
        81⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.exe -m1308:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        82⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m2012:C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.exe -sC:\Windows\system32
        83⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m1040:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        84⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m1920:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32
        85⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m1888:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        86⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.exe -m1668:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32
        87⤵
        
        PID:556
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m556:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32
        88⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m1844:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        89⤵
        
        PID:976
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m976:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32
        90⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m1884:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        91⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m1080:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32
        92⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m676:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        93⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-misc-l1-1-0.exe -m2012:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32
        94⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m2020:C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.exe -sC:\Windows\system32
        95⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m2036:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        96⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m1376:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        97⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m1648:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        98⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-heap-l1-1-0.exe -m1776:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        99⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\AltTab.exe
        
        C:\Windows\system32\AltTab.exe -m1620:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32
        100⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.exe -m1344:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32
        101⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m1084:C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.exe -sC:\Windows\system32
        102⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\aecache.exe
        
        C:\Windows\system32\aecache.exe -m1296:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        103⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-handle-l1-1-0.exe -m1036:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32
        104⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l2-1-0.exe -m1456:C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.exe -sC:\Windows\system32
        105⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.exe -m1704:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe -sC:\Windows\system32
        106⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-misc-l1-1-0.exe -m1944:C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe -sC:\Windows\system32
        107⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m1720:C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.exe -sC:\Windows\system32
        108⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.exe -m1624:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        109⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m1904:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32
        110⤵
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-string-l1-1-0.exe -m1604:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        111⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.exe -m1308:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32
        112⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-localization-l1-1-0.exe -m1156:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32
        113⤵
        
        PID:960
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m960:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32
        114⤵
        
        PID:300
        
        C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-debug-l1-1-0.exe -m300:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        115⤵
        
        PID:628
        
        C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.exe -m628:C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe -sC:\Windows\system32
        116⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.exe -m1992:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32
        117⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.exe -m2036:C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.exe -sC:\Windows\system32
        118⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-localization-l1-1-0.exe -m1220:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32
        119⤵
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m1720:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32
        120⤵
        
        PID:740
        
        C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-synch-l1-1-0.exe -m740:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        121⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\atmlib.exe
        
        C:\Windows\system32\atmlib.exe -m1288:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32
        122⤵
        
        PID:428
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m428:C:\Windows\SysWOW64\atmlib.exe -sC:\Windows\system32
        123⤵
        
        PID:600
        
        C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-heap-l1-1-0.exe -m600:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        124⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe -m1048:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32
        125⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.exe -m1552:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32
        126⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.exe -m2044:C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.exe -sC:\Windows\system32
        127⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-debug-l1-1-0.exe -m1896:C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe -sC:\Windows\system32
        128⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m1944:C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe -sC:\Windows\system32
        129⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-1-0.exe -m1008:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        130⤵
        
        PID:556
        
        C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-string-l1-1-0.exe -m556:C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe -sC:\Windows\system32
        131⤵
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m2028:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32
        132⤵
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.exe -m316:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        133⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-handle-l1-1-0.exe -m2008:C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe -sC:\Windows\system32
        134⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\appmgmts.exe
        
        C:\Windows\system32\appmgmts.exe -m1716:C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.exe -sC:\Windows\system32
        135⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m960:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32
        136⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-io-l1-1-0.exe -m1576:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        137⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-debug-l1-1-0.exe -m1916:C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.exe -sC:\Windows\system32
        138⤵
        
        PID:940
        
        C:\Windows\SysWOW64\colbact.exe
        
        C:\Windows\system32\colbact.exe -m940:C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.exe -sC:\Windows\system32
        139⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-handle-l1-1-0.exe -m1980:C:\Windows\SysWOW64\colbact.exe -sC:\Windows\system32
        140⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.exe -m1220:C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.exe -sC:\Windows\system32
        141⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-localization-l1-1-0.exe -m1720:C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe -sC:\Windows\system32
        142⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m1616:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32
        143⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l2-1-0.exe -m1032:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        144⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\api-ms-win-service-management-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-service-management-l1-1-0.exe -m1888:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe -sC:\Windows\system32
        145⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.exe -m1608:C:\Windows\SysWOW64\api-ms-win-service-management-l1-1-0.exe -sC:\Windows\system32
        146⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l2-1-0.exe -m1056:C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.exe -sC:\Windows\system32
        147⤵
        
        PID:768
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe -m768:C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.exe -sC:\Windows\system32
        148⤵
        
        PID:916
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-1-0.exe -m916:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32
        149⤵
        
        PID:696
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe -m696:C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe -sC:\Windows\system32
        150⤵
        
        PID:940
        
        C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.exe -m940:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32
        151⤵
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-1-0.exe -m1044:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32
        152⤵
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.exe -m556:C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe -sC:\Windows\system32
        153⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m1808:C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe -sC:\Windows\system32
        154⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe -m2016:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        155⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.exe -m1788:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32
        156⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.exe -m1716:C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe -sC:\Windows\system32
        157⤵
        
        PID:840
        
        C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.exe -m840:C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe -sC:\Windows\system32
        158⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m1648:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32
        159⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.exe -m1752:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        160⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe -m1832:C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe -sC:\Windows\system32
        161⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-1-0.exe -m1180:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32
        162⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m1972:C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe -sC:\Windows\system32
        163⤵
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m1352:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        164⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe
        
        C:\Windows\system32\AppIdPolicyEngineApi.exe -m1736:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        165⤵
        
        PID:276
        
        C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-synch-l1-1-0.exe -m276:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32
        166⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m2008:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32
        167⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m1624:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        168⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\autoplay.exe
        
        C:\Windows\system32\autoplay.exe -m1644:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        169⤵
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-profile-l1-1-0.exe -m924:C:\Windows\SysWOW64\autoplay.exe -sC:\Windows\system32
        170⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m1948:C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.exe -sC:\Windows\system32
        171⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m1924:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        172⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe -m1944:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        173⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-1-0.exe -m1760:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32
        174⤵
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-time-l1-1-0.exe -m1068:C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe -sC:\Windows\system32
        175⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m2012:C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.exe -sC:\Windows\system32
        176⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m1056:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        177⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe -m960:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        178⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-1-0.exe -m2008:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32
        179⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m1624:C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe -sC:\Windows\system32
        180⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.exe -m2032:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        181⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m1940:C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.exe -sC:\Windows\system32
        182⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.exe -m1844:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        183⤵
        
        PID:760
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m760:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32
        184⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\api-ms-win-security-lsalookup-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-security-lsalookup-l1-1-0.exe -m1220:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        185⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-1-0.exe -m1776:C:\Windows\SysWOW64\api-ms-win-security-lsalookup-l1-1-0.exe -sC:\Windows\system32
        186⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m1828:C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.exe -sC:\Windows\system32
        187⤵
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.exe -m524:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        188⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.exe -m1516:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32
        189⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\btpanui.exe
        
        C:\Windows\system32\btpanui.exe -m960:C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.exe -sC:\Windows\system32
        190⤵
        
        PID:292
        
        C:\Windows\SysWOW64\api-ms-win-service-core-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-service-core-l1-1-0.exe -m292:C:\Windows\SysWOW64\btpanui.exe -sC:\Windows\system32
        191⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\AuxiliaryDisplayCpl.exe
        
        C:\Windows\system32\AuxiliaryDisplayCpl.exe -m1692:C:\Windows\SysWOW64\api-ms-win-service-core-l1-1-0.exe -sC:\Windows\system32
        192⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.exe -m1964:C:\Windows\SysWOW64\AuxiliaryDisplayCpl.exe -sC:\Windows\system32
        193⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.exe -m2036:C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.exe -sC:\Windows\system32
        194⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.exe -m1040:C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.exe -sC:\Windows\system32
        195⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Apphlpdm.exe
        
        C:\Windows\system32\Apphlpdm.exe -m888:C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.exe -sC:\Windows\system32
        196⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\atl.exe
        
        C:\Windows\system32\atl.exe -m1084:C:\Windows\SysWOW64\Apphlpdm.exe -sC:\Windows\system32
        197⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\AudioEng.exe
        
        C:\Windows\system32\AudioEng.exe -m1712:C:\Windows\SysWOW64\atl.exe -sC:\Windows\system32
        198⤵
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-string-l1-1-0.exe -m1736:C:\Windows\SysWOW64\AudioEng.exe -sC:\Windows\system32
        199⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\api-ms-win-service-core-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-service-core-l1-1-0.exe -m1188:C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.exe -sC:\Windows\system32
        200⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe
        
        C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.exe -m1984:C:\Windows\SysWOW64\api-ms-win-service-core-l1-1-0.exe -sC:\Windows\system32
        201⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\api-ms-win-security-lsalookup-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-security-lsalookup-l1-1-0.exe -m1920:C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe -sC:\Windows\system32
        202⤵
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-security-sddl-l1-1-0.exe -m516:C:\Windows\SysWOW64\api-ms-win-security-lsalookup-l1-1-0.exe -sC:\Windows\system32
        203⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\AuditNativeSnapIn.exe
        
        C:\Windows\system32\AuditNativeSnapIn.exe -m1352:C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0.exe -sC:\Windows\system32
        204⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.exe -m1356:C:\Windows\SysWOW64\AuditNativeSnapIn.exe -sC:\Windows\system32
        205⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.exe -m1520:C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.exe -sC:\Windows\system32
        206⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\api-ms-win-service-core-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-service-core-l1-1-0.exe -m1912:C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe -sC:\Windows\system32
        207⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\appmgr.exe
        
        C:\Windows\system32\appmgr.exe -m1720:C:\Windows\SysWOW64\api-ms-win-service-core-l1-1-0.exe -sC:\Windows\system32
        208⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-service-management-l2-1-0.exe -m1396:C:\Windows\SysWOW64\appmgr.exe -sC:\Windows\system32
        209⤵
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.exe -m1736:C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0.exe -sC:\Windows\system32
        210⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.exe -m1992:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32
        211⤵
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.exe -m2032:C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe -sC:\Windows\system32
        212⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.exe -m1148:C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.exe -sC:\Windows\system32
        213⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.exe -m1636:C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.exe -sC:\Windows\system32
        214⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-private-l1-1-0.exe -m1732:C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.exe -sC:\Windows\system32
        215⤵
        
        PID:664
        
        C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-profile-l1-1-0.exe -m664:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32
        216⤵
        
        PID:852
        
        C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-service-management-l2-1-0.exe -m852:C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.exe -sC:\Windows\system32
        217⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-process-l1-1-0.exe -m1772:C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0.exe -sC:\Windows\system32
        218⤵
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-time-l1-1-0.exe -m1308:C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.exe -sC:\Windows\system32
        219⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-string-l1-1-0.exe -m1344:C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.exe -sC:\Windows\system32
        220⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.exe -m1820:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32
        221⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\apircl.exe
        
        C:\Windows\system32\apircl.exe -m1992:C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe -sC:\Windows\system32
        222⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-util-l1-1-0.exe -m1644:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32
        223⤵
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\audiodev.exe
        
        C:\Windows\system32\audiodev.exe -m1924:C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.exe -sC:\Windows\system32
        224⤵
        
        PID:316
        
        C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.exe -m316:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32
        225⤵
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\apilogen.exe
        
        C:\Windows\system32\apilogen.exe -m1904:C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe -sC:\Windows\system32
        226⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-string-l1-1-0.exe -m1980:C:\Windows\SysWOW64\apilogen.exe -sC:\Windows\system32
        227⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.exe -m1008:C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.exe -sC:\Windows\system32
        228⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-string-l1-1-0.exe -m1772:C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.exe -sC:\Windows\system32
        229⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-profile-l1-1-0.exe -m1916:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32
        230⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\AuthFWGP.exe
        
        C:\Windows\system32\AuthFWGP.exe -m1016:C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.exe -sC:\Windows\system32
        231⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.exe -m1576:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32
        232⤵
        Drops file in System32 directory
        
        PID:300
        
        C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.exe -m300:C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.exe -sC:\Windows\system32
        233⤵
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.exe -m924:C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.exe -sC:\Windows\system32
        234⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\CertEnroll.exe
        
        C:\Windows\system32\CertEnroll.exe -m1168:C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.exe -sC:\Windows\system32
        235⤵
        
        PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4.nls

Filesize
96B

MD5
a44b7d152619694f03f122f4eff7cede

SHA1
1d377a92f879fc054fdaefc2886fc839a70218ad

SHA256
9f8af9e8323d46fa204671970675f7da4ae9050a878665f77dd668060c933dca

SHA512
1fa4a2eb438ff0907a4a146c4ebdaf0f2947d80be58c316119aa66c2d26fdfceb15a922ff0612ec88c2670eb1114952c6471ae3562d611be3caaf70766399321

Download Submit
C:\Windows\SysWOW64\adprovider.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\adprovider.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\adprovider.nls

Filesize
108B

MD5
eac5e3dc0df9803dc9afe55136663a7b

SHA1
79bf29c980e6a14590c15db036d467c6630f10d8

SHA256
25af7d8d09b150569bebe0d85dafc7636cc88c00ec4c4090a3940cf7fb57157f

SHA512
9cf24920afe60c76446446537bbf76d571a121eafb8c05e78403122543b0bb533d8be2a1c3f9c18551e4a6d3cb7eff2d0a7f62199eea07dc1c3d43630f656f04

Download Submit
C:\Windows\SysWOW64\adsmsext.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\adsmsext.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\adsmsext.nls

Filesize
108B

MD5
e113af5db7f31b33d9c1fb2ecb7e3055

SHA1
e74742209893b19ed745f905eeab89b97de0d0b9

SHA256
e081c0bc5abbf160dff5b30a41775779433a56770b88e1fddcf48aebd39f6276

SHA512
7ee89b4d9bd09ef8c692f7291b9165cbf41e39228c696a9748faa399118bfc624cbe35dfea32d28eeb82869ba6e9b4ce0821fe854298c375cc6d2c527b1aa32d

Download Submit
C:\Windows\SysWOW64\adtschema.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\advapi32.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\advapi32.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\advapi32.nls

Filesize
108B

MD5
98efcd0f3bb243f05f6caab2820d2a09

SHA1
5784fdf64daaea718354b2179a208327a4960c79

SHA256
7b14aa576dd4ed19f857599550b177072bde6167452b869c2d1ca262a90078a4

SHA512
33b923e224bf2252b311e22f4dab7c8fc28534b852ce9dc46645f9a554102509db81ba318b15b71248c73df4d87fcf8ea1c9bfd1aae02d51734705532f92c925

Download Submit
C:\Windows\SysWOW64\amxread.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\amxread.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\amxread.nls

Filesize
108B

MD5
18fbc3b2b4e4e924ca93f9c894f4cda2

SHA1
44995a6a59413eae460cfd083d5d50e29bddffa4

SHA256
75adc456b98eda51387065636fc2e945ae63ac0d09abd92ad1e9a88b6eddf470

SHA512
c96d7297413431cf78f49d3b0404d6c7659e65475af6ad09e502074e8d44d26f453b72d679a4a8bfb2128fbfd8ffb6ff3c94da492d3325c3ddef9fc53c6627f1

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.nls

Filesize
108B

MD5
62b310c12f683c0ca803ba3bde3276dc

SHA1
1f2feadcdf98202ec4562d7dc3d09cd83f275223

SHA256
78af3c1bad525ebbc91dc219025f041d2b9979b4f3f95fe67534198acccb46b1

SHA512
f45dbc79fa29628ac6e746068da1eaca0c27c612db564ad3255b9c45b962b886b84349c6c265266369c92743f500cdefcd36a3d47411bddae9a0129848494fa6

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.nls

Filesize
108B

MD5
b4faaef472693696a5ab8272b89adc80

SHA1
96540e7dfaeda939f0e79c22fe27a70ac8501ec8

SHA256
76607e0cd480441b60a1011274333e7e1534eea282b9cf29daba864236e118dc

SHA512
1e495e37ed7786dbb53e538e4ed156f7e26c0e1ad1af01472f430faf17df9b9bc8b76b75067b1202999eb0765bfbeaf2e994ee48ab091fbc6b05f9208e1118c8

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.nls

Filesize
108B

MD5
e22e414601f2b51d53572ea89e7f8ed4

SHA1
b910825310e08b9a76820b6a05bb5a2eae0538a0

SHA256
aabaca1e51df432f282f6a5aec43528d54d5fcdc26844de208f76f58d2c952b1

SHA512
2cdfbbde75151bd39a41aafcd36ef672e20465d7b0e1f611d2271e6bf1c03043e0bafe816751e5158de946546b9501950b9178ee82d030901613c34da0a9fa60

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.nls

Filesize
96B

MD5
79431c587a636f1cc177a73419bc2083

SHA1
7aa18d4f162c2b1ea36275592b6603c315fd4d5a

SHA256
a5a3960ff87dcb4dc10d964d8342988c45e68ab4b7831c4cbefc23e9774ed9dc

SHA512
68338751c503cd71ab10a732504e176f24a4b31783af872821cf8dd2b02e85ccaf391987588ec63bfb398812bea9ebde093ffc767b6c5d48fb74c839a73a4a14

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.nls

Filesize
108B

MD5
3a261ba90e655f6c71a041135699d8b8

SHA1
580a3bc9e5883788fceee003ceccb25f6a49633a

SHA256
d096a214f1b32b2db31534bc675c90b67f51956eaf8e2453e7565939e78bc3ea

SHA512
e1dd5f0ca709d4caf5337e644deee86701b3c1c1a62dc71f7d2d582830e02988445f99aa1bb2241dd577656024cdb373c7041273f4accf79126f0f9b839a8b79

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.nls

Filesize
108B

MD5
40dd37590b432329edcaf83205282f94

SHA1
a43e16dc654688f6093e98bbac3cc1e8c3652004

SHA256
d1b24644d2001d0ea434f4e3796e1eedbf3b78d42fb679a9935ce44f986509c1

SHA512
68ad08af093c94595947da17d6cc33e080aef808dbb4b6aae7618e79054cf29b63291bb80538cad0ab3a47601f02516931670338f61aae7b357f59ace4de771d

Download Submit
C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.nls

Filesize
108B

MD5
1bdccdeb88ea20dc78188d516b98cab1

SHA1
0eefbe7d8ed4c02b3e0e63ccf8d023859071c1f3

SHA256
76c539b29b68e3af7d7d19e5de76e5bd8e302b536a01622455f3d612988e4582

SHA512
d76f5e8ab23adf5ebaed157579a91956e9156ca22e7efae0fcd5ba795e10ba3a235219d3218adb1d978e6f934c76f533cf34440565adf516817aff6b23e931a0

Download Submit
C:\Windows\SysWOW64\api-ms-win-service-winsvc-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-service-winsvc-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
C:\Windows\SysWOW64\api-ms-win-service-winsvc-l1-1-0.nls

Filesize
108B

MD5
1fec8b609cd6199331891297f9fc3134

SHA1
24b67b757526ce59ed63e110fe0c6514862c17f0

SHA256
4110064b8ebb1390aeb83f5b78f9c1d2fc632e41cfe3d12bb13fa607bb1c2695

SHA512
1021b18000dbaaeb2a614c1f1fa5edbf2f6e25807870c9b12e6790fa93de7675bc67b222bbf43b37d003a9b9152e6af3d947cd6061c363a6b92477887e46ba54

Download Submit
\Windows\SysWOW64\adprovider.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\adprovider.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\adsmsext.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\adsmsext.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\adtschema.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\adtschema.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\advapi32.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\advapi32.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\amxread.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\amxread.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-service-winsvc-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
\Windows\SysWOW64\api-ms-win-service-winsvc-l1-1-0.exe

Filesize
287KB

MD5
fd1494f5e8ef0f8e62f3102edce4a4ce

SHA1
e30f399c9ab7ff896060b2dcbfe7ef429c0af840

SHA256
a0e938be88679df44d7b0802d05393b4d0d59605a7ef4d31031110bd2d827bd4

SHA512
afc5f1970e7eb05e74da24d93e342417eb719ebf91f0eaf946d0b6c33ae47c17f96e682a27e88b9753265c22dca1d41308640e02e878c804e6edbcd584f3fbaa

Download Submit
memory/428-197-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/428-200-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/432-268-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/432-262-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/432-263-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/888-241-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/948-231-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/948-237-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/948-230-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1044-276-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1044-277-0x0000000003030000-0x0000000003112000-memory.dmp

Filesize
904KB

Download
memory/1116-155-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1200-80-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1200-84-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1320-282-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1320-278-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1352-115-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1352-110-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1376-256-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1396-233-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1396-229-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1492-74-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1504-63-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1504-56-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1504-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1504-54-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1516-83-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1516-96-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1516-82-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1616-189-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1616-183-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1648-264-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1648-260-0x0000000003150000-0x0000000003232000-memory.dmp

Filesize
904KB

Download
memory/1648-213-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1648-261-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1676-111-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1676-125-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1704-208-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1708-184-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1728-193-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1756-173-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1756-161-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1776-252-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1776-244-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1776-245-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1820-221-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1820-275-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1820-212-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1820-214-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1896-163-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1896-162-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1896-175-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1932-112-0x0000000003040000-0x0000000003122000-memory.dmp

Filesize
904KB

Download
memory/1932-226-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1932-104-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1940-222-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1952-247-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1952-248-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2008-144-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2008-137-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2008-135-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2012-132-0x0000000003000000-0x00000000030E2000-memory.dmp

Filesize
904KB

Download
memory/2012-134-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2020-199-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2020-198-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2020-204-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download