amadey | 595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6

Analysis

max time kernel
61s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-06-2022 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

505d564e02b600967f65ce37d79b80e1.exe
Size

208KB
MD5

505d564e02b600967f65ce37d79b80e1
SHA1

6dd0ebfb6692ff48101744cbbcf78183ead269f7
SHA256

595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6
SHA512

52d6cde55ffef2fd6da4780d663eccd047474b93d267c9bd25c5e73168b5047e20a7265496384e6ccc8f67008523b31ca43b96a3d604a21cdcdda2d9b7313ff7

Malware Config

Extracted

Family

djvu

http://abababa.org/test3/get.php

Attributes

extension
.bbii
offline_id
fE1iyGbFRSHwEwVlLZsE3FvHU8UKd1wubsS4CFt1
payload_url
http://rgyui.top/dl/build2.exe
http://abababa.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-KXqYlvxcUy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0498JIjdm

rsa_pubkey.plain

Extracted

Family

amadey

Version

3.08

185.215.113.15/Lkb2dxj3/index.php

Extracted

Family

recordbreaker

http://93.115.28.51/

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Extracted

Family

vidar

Version

52.6

Botnet

937

https://t.me/tg_dailylessons

https://busshi.moe/@olegf9844xx

Attributes

profile_id
937

Extracted

Family

redline

Botnet

10k#24343

176.124.201.194:42409

Attributes

auth_value
81618697406811e75c92a8fdca6e7f8c

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5700-189-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4432-202-0x0000000002500000-0x000000000261B000-memory.dmp	family_djvu
behavioral2/memory/5700-196-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5700-193-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5700-265-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

505d564e02b600967f65ce37d79b80e1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	505d564e02b600967f65ce37d79b80e1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	505d564e02b600967f65ce37d79b80e1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	505d564e02b600967f65ce37d79b80e1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	505d564e02b600967f65ce37d79b80e1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	505d564e02b600967f65ce37d79b80e1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	505d564e02b600967f65ce37d79b80e1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	505d564e02b600967f65ce37d79b80e1.exe

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 10548 4364 rundll32.exe
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10548	4364	rundll32.exe

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/38132-291-0x0000000000150000-0x0000000000170000-memory.dmp	family_redline

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4984-268-0x00000000008D0000-0x000000000091B000-memory.dmp	family_vidar
behavioral2/memory/4984-270-0x0000000000400000-0x000000000067D000-memory.dmp	family_vidar
behavioral2/memory/4984-368-0x0000000000400000-0x000000000067D000-memory.dmp	family_vidar

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/8008-370-0x0000000000ED0000-0x0000000000FC1000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

DpbeYJklfMUIg28UmK6zoQZK.exeGo4CxGCPoSdaYBArUcr9pnvq.exeEET9n0DAxf4ZSlNn5qqntdp_.exeeVp9dkhjfYf18pUipK8h03hw.exegOWzadDxQqKzMmAqlXNsx66j.exeYu4X5FadVK82oJCmkIZYvX0H.exeDtySd5gqVc1rSYqbj9eD3zCY.exe3GtMWETfdWL8wJDSWMqX8xGH.exeEpTNM_CFOQOK6FBpow6yDWQT.exeY38hod3G7JYUd7es9Tzwy54X.exethvMNcCipnKXsVakK8PeJVZW.exel7ToVLKA5YaWrg0STsslbBgQ.exeZIZbn6OWtXxRow9wEdPjfsMo.exelMXM3SX5enuzyiO07oa6_6Yz.exekrNwUXo33yedkTuE0t9Dkkwx.exex7WRabPCfz9ju5ynI2zrfTFB.exegOWzadDxQqKzMmAqlXNsx66j.exePJ1rV4Q8XaGH_iF3FsGFwIqh.exeftewk.exeftewk.exe

pid	process
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1964	Go4CxGCPoSdaYBArUcr9pnvq.exe
3012	EET9n0DAxf4ZSlNn5qqntdp_.exe
4400	eVp9dkhjfYf18pUipK8h03hw.exe
4432	gOWzadDxQqKzMmAqlXNsx66j.exe
4812	Yu4X5FadVK82oJCmkIZYvX0H.exe
1348	DtySd5gqVc1rSYqbj9eD3zCY.exe
4508	3GtMWETfdWL8wJDSWMqX8xGH.exe
2952	EpTNM_CFOQOK6FBpow6yDWQT.exe
4984	Y38hod3G7JYUd7es9Tzwy54X.exe
3444	thvMNcCipnKXsVakK8PeJVZW.exe
3032	l7ToVLKA5YaWrg0STsslbBgQ.exe
4552	ZIZbn6OWtXxRow9wEdPjfsMo.exe
1116	lMXM3SX5enuzyiO07oa6_6Yz.exe
2656	krNwUXo33yedkTuE0t9Dkkwx.exe
1476	x7WRabPCfz9ju5ynI2zrfTFB.exe
5700	gOWzadDxQqKzMmAqlXNsx66j.exe
6172	PJ1rV4Q8XaGH_iF3FsGFwIqh.exe
9264	ftewk.exe
9948	ftewk.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

27244 netsh.exe

pid	process
27244	netsh.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\DtySd5gqVc1rSYqbj9eD3zCY.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\DtySd5gqVc1rSYqbj9eD3zCY.exe	vmprotect
behavioral2/memory/1348-182-0x0000000000400000-0x0000000000BE7000-memory.dmp	vmprotect
behavioral2/memory/1348-229-0x0000000000400000-0x0000000000BE7000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

thvMNcCipnKXsVakK8PeJVZW.exeEpTNM_CFOQOK6FBpow6yDWQT.exe505d564e02b600967f65ce37d79b80e1.exe3GtMWETfdWL8wJDSWMqX8xGH.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	thvMNcCipnKXsVakK8PeJVZW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	EpTNM_CFOQOK6FBpow6yDWQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	505d564e02b600967f65ce37d79b80e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	3GtMWETfdWL8wJDSWMqX8xGH.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

23564 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
23564	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZIZbn6OWtXxRow9wEdPjfsMo.exePJ1rV4Q8XaGH_iF3FsGFwIqh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ZIZbn6OWtXxRow9wEdPjfsMo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ZIZbn6OWtXxRow9wEdPjfsMo.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	PJ1rV4Q8XaGH_iF3FsGFwIqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	PJ1rV4Q8XaGH_iF3FsGFwIqh.exe

Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

109 api.2ip.ua
110 api.2ip.ua
197 api.2ip.ua
192 api.2ip.ua
270 ip-api.com
15 ipinfo.io
16 ipinfo.io
79 ipinfo.io
80 ipinfo.io
86 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

l7ToVLKA5YaWrg0STsslbBgQ.exe

pid process

3032 l7ToVLKA5YaWrg0STsslbBgQ.exe
3032 l7ToVLKA5YaWrg0STsslbBgQ.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

gOWzadDxQqKzMmAqlXNsx66j.exe

description pid process target process

PID 4432 set thread context of 5700 4432 gOWzadDxQqKzMmAqlXNsx66j.exe gOWzadDxQqKzMmAqlXNsx66j.exe

flow	ioc
109	api.2ip.ua
110	api.2ip.ua
197	api.2ip.ua
192	api.2ip.ua
270	ip-api.com
15	ipinfo.io
16	ipinfo.io
79	ipinfo.io
80	ipinfo.io
86	ipinfo.io

pid	process
3032	l7ToVLKA5YaWrg0STsslbBgQ.exe
3032	l7ToVLKA5YaWrg0STsslbBgQ.exe

description	pid	process	target process
PID 4432 set thread context of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe

Drops file in Program Files directory 2 IoCs

Processes:

Go4CxGCPoSdaYBArUcr9pnvq.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Go4CxGCPoSdaYBArUcr9pnvq.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Go4CxGCPoSdaYBArUcr9pnvq.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

14456 sc.exe
18592 sc.exe
24600 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
14456	sc.exe
18592	sc.exe
24600	sc.exe

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
11544	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
11560	4508	WerFault.exe	3GtMWETfdWL8wJDSWMqX8xGH.exe
11780	3444	WerFault.exe	thvMNcCipnKXsVakK8PeJVZW.exe
15944	9948	WerFault.exe	ftewk.exe
26160	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
30784	2952	WerFault.exe	EpTNM_CFOQOK6FBpow6yDWQT.exe
35344	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
37576	29072	WerFault.exe	tfhxjapm.exe
38080	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
38216	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
38392	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
38648	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
38908	1116	WerFault.exe	lMXM3SX5enuzyiO07oa6_6Yz.exe
7244	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
7860	3012	WerFault.exe	EET9n0DAxf4ZSlNn5qqntdp_.exe
7996	4812	WerFault.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
9580	8796	WerFault.exe	gcleaner.exe
9832	4400	WerFault.exe	eVp9dkhjfYf18pUipK8h03hw.exe
10088	8796	WerFault.exe	gcleaner.exe
10244	8796	WerFault.exe	gcleaner.exe
10424	10112	WerFault.exe	rmaa1045.exe
10688	8796	WerFault.exe	gcleaner.exe
10700	10596	WerFault.exe	rundll32.exe
10852	8796	WerFault.exe	gcleaner.exe
10924	8796	WerFault.exe	gcleaner.exe
11016	8796	WerFault.exe	gcleaner.exe
11276	8796	WerFault.exe	gcleaner.exe
11456	8796	WerFault.exe	gcleaner.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

x7WRabPCfz9ju5ynI2zrfTFB.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x7WRabPCfz9ju5ynI2zrfTFB.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x7WRabPCfz9ju5ynI2zrfTFB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x7WRabPCfz9ju5ynI2zrfTFB.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

7900 schtasks.exe
8960 schtasks.exe
15936 schtasks.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

11504 taskkill.exe
8876 taskkill.exe
11208 taskkill.exe

pid	process
7900	schtasks.exe
8960	schtasks.exe
15936	schtasks.exe

pid	process
11504	taskkill.exe
8876	taskkill.exe
11208	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

505d564e02b600967f65ce37d79b80e1.exeDpbeYJklfMUIg28UmK6zoQZK.exe

pid	process
2384	505d564e02b600967f65ce37d79b80e1.exe
2384	505d564e02b600967f65ce37d79b80e1.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe
1512	DpbeYJklfMUIg28UmK6zoQZK.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

EET9n0DAxf4ZSlNn5qqntdp_.exeeVp9dkhjfYf18pUipK8h03hw.exe

description pid process

Token: SeDebugPrivilege 3012 EET9n0DAxf4ZSlNn5qqntdp_.exe
Token: SeDebugPrivilege 4400 eVp9dkhjfYf18pUipK8h03hw.exe

description	pid	process
Token: SeDebugPrivilege	3012	EET9n0DAxf4ZSlNn5qqntdp_.exe
Token: SeDebugPrivilege	4400	eVp9dkhjfYf18pUipK8h03hw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

505d564e02b600967f65ce37d79b80e1.exeZIZbn6OWtXxRow9wEdPjfsMo.exegOWzadDxQqKzMmAqlXNsx66j.exeGo4CxGCPoSdaYBArUcr9pnvq.exe

description	pid	process	target process
PID 2384 wrote to memory of 1512	2384	505d564e02b600967f65ce37d79b80e1.exe	DpbeYJklfMUIg28UmK6zoQZK.exe
PID 2384 wrote to memory of 1512	2384	505d564e02b600967f65ce37d79b80e1.exe	DpbeYJklfMUIg28UmK6zoQZK.exe
PID 2384 wrote to memory of 1964	2384	505d564e02b600967f65ce37d79b80e1.exe	Go4CxGCPoSdaYBArUcr9pnvq.exe
PID 2384 wrote to memory of 1964	2384	505d564e02b600967f65ce37d79b80e1.exe	Go4CxGCPoSdaYBArUcr9pnvq.exe
PID 2384 wrote to memory of 1964	2384	505d564e02b600967f65ce37d79b80e1.exe	Go4CxGCPoSdaYBArUcr9pnvq.exe
PID 2384 wrote to memory of 3012	2384	505d564e02b600967f65ce37d79b80e1.exe	EET9n0DAxf4ZSlNn5qqntdp_.exe
PID 2384 wrote to memory of 3012	2384	505d564e02b600967f65ce37d79b80e1.exe	EET9n0DAxf4ZSlNn5qqntdp_.exe
PID 2384 wrote to memory of 3012	2384	505d564e02b600967f65ce37d79b80e1.exe	EET9n0DAxf4ZSlNn5qqntdp_.exe
PID 2384 wrote to memory of 4400	2384	505d564e02b600967f65ce37d79b80e1.exe	eVp9dkhjfYf18pUipK8h03hw.exe
PID 2384 wrote to memory of 4400	2384	505d564e02b600967f65ce37d79b80e1.exe	eVp9dkhjfYf18pUipK8h03hw.exe
PID 2384 wrote to memory of 4400	2384	505d564e02b600967f65ce37d79b80e1.exe	eVp9dkhjfYf18pUipK8h03hw.exe
PID 2384 wrote to memory of 4432	2384	505d564e02b600967f65ce37d79b80e1.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 2384 wrote to memory of 4432	2384	505d564e02b600967f65ce37d79b80e1.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 2384 wrote to memory of 4432	2384	505d564e02b600967f65ce37d79b80e1.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 2384 wrote to memory of 4812	2384	505d564e02b600967f65ce37d79b80e1.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
PID 2384 wrote to memory of 4812	2384	505d564e02b600967f65ce37d79b80e1.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
PID 2384 wrote to memory of 4812	2384	505d564e02b600967f65ce37d79b80e1.exe	Yu4X5FadVK82oJCmkIZYvX0H.exe
PID 2384 wrote to memory of 1348	2384	505d564e02b600967f65ce37d79b80e1.exe	DtySd5gqVc1rSYqbj9eD3zCY.exe
PID 2384 wrote to memory of 1348	2384	505d564e02b600967f65ce37d79b80e1.exe	DtySd5gqVc1rSYqbj9eD3zCY.exe
PID 2384 wrote to memory of 1348	2384	505d564e02b600967f65ce37d79b80e1.exe	DtySd5gqVc1rSYqbj9eD3zCY.exe
PID 2384 wrote to memory of 4508	2384	505d564e02b600967f65ce37d79b80e1.exe	3GtMWETfdWL8wJDSWMqX8xGH.exe
PID 2384 wrote to memory of 4508	2384	505d564e02b600967f65ce37d79b80e1.exe	3GtMWETfdWL8wJDSWMqX8xGH.exe
PID 2384 wrote to memory of 4508	2384	505d564e02b600967f65ce37d79b80e1.exe	3GtMWETfdWL8wJDSWMqX8xGH.exe
PID 2384 wrote to memory of 2952	2384	505d564e02b600967f65ce37d79b80e1.exe	EpTNM_CFOQOK6FBpow6yDWQT.exe
PID 2384 wrote to memory of 2952	2384	505d564e02b600967f65ce37d79b80e1.exe	EpTNM_CFOQOK6FBpow6yDWQT.exe
PID 2384 wrote to memory of 2952	2384	505d564e02b600967f65ce37d79b80e1.exe	EpTNM_CFOQOK6FBpow6yDWQT.exe
PID 2384 wrote to memory of 4984	2384	505d564e02b600967f65ce37d79b80e1.exe	Y38hod3G7JYUd7es9Tzwy54X.exe
PID 2384 wrote to memory of 4984	2384	505d564e02b600967f65ce37d79b80e1.exe	Y38hod3G7JYUd7es9Tzwy54X.exe
PID 2384 wrote to memory of 4984	2384	505d564e02b600967f65ce37d79b80e1.exe	Y38hod3G7JYUd7es9Tzwy54X.exe
PID 2384 wrote to memory of 3444	2384	505d564e02b600967f65ce37d79b80e1.exe	thvMNcCipnKXsVakK8PeJVZW.exe
PID 2384 wrote to memory of 3444	2384	505d564e02b600967f65ce37d79b80e1.exe	thvMNcCipnKXsVakK8PeJVZW.exe
PID 2384 wrote to memory of 3444	2384	505d564e02b600967f65ce37d79b80e1.exe	thvMNcCipnKXsVakK8PeJVZW.exe
PID 2384 wrote to memory of 4552	2384	505d564e02b600967f65ce37d79b80e1.exe	ZIZbn6OWtXxRow9wEdPjfsMo.exe
PID 2384 wrote to memory of 4552	2384	505d564e02b600967f65ce37d79b80e1.exe	ZIZbn6OWtXxRow9wEdPjfsMo.exe
PID 2384 wrote to memory of 4552	2384	505d564e02b600967f65ce37d79b80e1.exe	ZIZbn6OWtXxRow9wEdPjfsMo.exe
PID 2384 wrote to memory of 3032	2384	505d564e02b600967f65ce37d79b80e1.exe	l7ToVLKA5YaWrg0STsslbBgQ.exe
PID 2384 wrote to memory of 3032	2384	505d564e02b600967f65ce37d79b80e1.exe	l7ToVLKA5YaWrg0STsslbBgQ.exe
PID 2384 wrote to memory of 3032	2384	505d564e02b600967f65ce37d79b80e1.exe	l7ToVLKA5YaWrg0STsslbBgQ.exe
PID 2384 wrote to memory of 1116	2384	505d564e02b600967f65ce37d79b80e1.exe	lMXM3SX5enuzyiO07oa6_6Yz.exe
PID 2384 wrote to memory of 1116	2384	505d564e02b600967f65ce37d79b80e1.exe	lMXM3SX5enuzyiO07oa6_6Yz.exe
PID 2384 wrote to memory of 1116	2384	505d564e02b600967f65ce37d79b80e1.exe	lMXM3SX5enuzyiO07oa6_6Yz.exe
PID 2384 wrote to memory of 2656	2384	505d564e02b600967f65ce37d79b80e1.exe	krNwUXo33yedkTuE0t9Dkkwx.exe
PID 2384 wrote to memory of 2656	2384	505d564e02b600967f65ce37d79b80e1.exe	krNwUXo33yedkTuE0t9Dkkwx.exe
PID 2384 wrote to memory of 2656	2384	505d564e02b600967f65ce37d79b80e1.exe	krNwUXo33yedkTuE0t9Dkkwx.exe
PID 2384 wrote to memory of 1476	2384	505d564e02b600967f65ce37d79b80e1.exe	x7WRabPCfz9ju5ynI2zrfTFB.exe
PID 2384 wrote to memory of 1476	2384	505d564e02b600967f65ce37d79b80e1.exe	x7WRabPCfz9ju5ynI2zrfTFB.exe
PID 2384 wrote to memory of 1476	2384	505d564e02b600967f65ce37d79b80e1.exe	x7WRabPCfz9ju5ynI2zrfTFB.exe
PID 4552 wrote to memory of 3684	4552	ZIZbn6OWtXxRow9wEdPjfsMo.exe	dllhost.exe
PID 4552 wrote to memory of 3684	4552	ZIZbn6OWtXxRow9wEdPjfsMo.exe	dllhost.exe
PID 4552 wrote to memory of 3684	4552	ZIZbn6OWtXxRow9wEdPjfsMo.exe	dllhost.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 4432 wrote to memory of 5700	4432	gOWzadDxQqKzMmAqlXNsx66j.exe	gOWzadDxQqKzMmAqlXNsx66j.exe
PID 2384 wrote to memory of 6172	2384	505d564e02b600967f65ce37d79b80e1.exe	PJ1rV4Q8XaGH_iF3FsGFwIqh.exe
PID 2384 wrote to memory of 6172	2384	505d564e02b600967f65ce37d79b80e1.exe	PJ1rV4Q8XaGH_iF3FsGFwIqh.exe
PID 1964 wrote to memory of 7900	1964	Go4CxGCPoSdaYBArUcr9pnvq.exe	schtasks.exe
PID 1964 wrote to memory of 7900	1964	Go4CxGCPoSdaYBArUcr9pnvq.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\505d564e02b600967f65ce37d79b80e1.exe
"C:\Users\Admin\AppData\Local\Temp\505d564e02b600967f65ce37d79b80e1.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\Pictures\Adobe Films\DpbeYJklfMUIg28UmK6zoQZK.exe
"C:\Users\Admin\Pictures\Adobe Films\DpbeYJklfMUIg28UmK6zoQZK.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Users\Admin\Pictures\Adobe Films\Go4CxGCPoSdaYBArUcr9pnvq.exe
"C:\Users\Admin\Pictures\Adobe Films\Go4CxGCPoSdaYBArUcr9pnvq.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:7900

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:8960

C:\Users\Admin\Pictures\Adobe Films\EET9n0DAxf4ZSlNn5qqntdp_.exe
"C:\Users\Admin\Pictures\Adobe Films\EET9n0DAxf4ZSlNn5qqntdp_.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1296
3⤵
- Program crash
PID:7860

C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe
"C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe
"C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe"
3⤵
- Executes dropped EXE
PID:5700

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4ee0d87c-351d-45a5-9978-33019cd85ae8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:23564

C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe
"C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:8120

C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe
"C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:8628

C:\Users\Admin\AppData\Local\d7db5b93-dc65-4271-9c25-d674022b32e1\build2.exe
"C:\Users\Admin\AppData\Local\d7db5b93-dc65-4271-9c25-d674022b32e1\build2.exe"
6⤵
PID:1860

C:\Users\Admin\AppData\Local\d7db5b93-dc65-4271-9c25-d674022b32e1\build2.exe
"C:\Users\Admin\AppData\Local\d7db5b93-dc65-4271-9c25-d674022b32e1\build2.exe"
7⤵
PID:10532

C:\Users\Admin\Pictures\Adobe Films\eVp9dkhjfYf18pUipK8h03hw.exe
"C:\Users\Admin\Pictures\Adobe Films\eVp9dkhjfYf18pUipK8h03hw.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1816
3⤵
- Program crash
PID:9832

C:\Users\Admin\Pictures\Adobe Films\l7ToVLKA5YaWrg0STsslbBgQ.exe
"C:\Users\Admin\Pictures\Adobe Films\l7ToVLKA5YaWrg0STsslbBgQ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3032

C:\Users\Admin\Pictures\Adobe Films\lMXM3SX5enuzyiO07oa6_6Yz.exe
"C:\Users\Admin\Pictures\Adobe Films\lMXM3SX5enuzyiO07oa6_6Yz.exe"
2⤵
- Executes dropped EXE
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 764
3⤵
- Program crash
PID:38908

C:\Users\Admin\Pictures\Adobe Films\ZIZbn6OWtXxRow9wEdPjfsMo.exe
"C:\Users\Admin\Pictures\Adobe Films\ZIZbn6OWtXxRow9wEdPjfsMo.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\dllhost.exe
dllhost kjdlskreshduehfiuwefuihuzhdsfbvnzmnnxcvjkhawiuoyrf8wer847345
3⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Questo.ppt & ping -n 5 localhost
3⤵
PID:8984

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:11780

C:\Users\Admin\Pictures\Adobe Films\thvMNcCipnKXsVakK8PeJVZW.exe
"C:\Users\Admin\Pictures\Adobe Films\thvMNcCipnKXsVakK8PeJVZW.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3444

C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe"
3⤵
- Executes dropped EXE
PID:9948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9948 -s 496
4⤵
- Program crash
PID:15944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1116
3⤵
- Program crash
PID:11780

C:\Users\Admin\Pictures\Adobe Films\EpTNM_CFOQOK6FBpow6yDWQT.exe
"C:\Users\Admin\Pictures\Adobe Films\EpTNM_CFOQOK6FBpow6yDWQT.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yzdlsgvx\
3⤵
PID:11064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tfhxjapm.exe" C:\Windows\SysWOW64\yzdlsgvx\
3⤵
PID:12136

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create yzdlsgvx binPath= "C:\Windows\SysWOW64\yzdlsgvx\tfhxjapm.exe /d\"C:\Users\Admin\Pictures\Adobe Films\EpTNM_CFOQOK6FBpow6yDWQT.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:14456

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description yzdlsgvx "wifi internet conection"
3⤵
- Launches sc.exe
PID:18592

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start yzdlsgvx
3⤵
- Launches sc.exe
PID:24600

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:27244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1040
3⤵
- Program crash
PID:30784

C:\Users\Admin\Pictures\Adobe Films\Y38hod3G7JYUd7es9Tzwy54X.exe
"C:\Users\Admin\Pictures\Adobe Films\Y38hod3G7JYUd7es9Tzwy54X.exe"
2⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\Pictures\Adobe Films\3GtMWETfdWL8wJDSWMqX8xGH.exe
"C:\Users\Admin\Pictures\Adobe Films\3GtMWETfdWL8wJDSWMqX8xGH.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4508

C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe"
3⤵
- Executes dropped EXE
PID:9264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bce0e07065\
4⤵
PID:15052

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bce0e07065\
5⤵
PID:33968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe" /F
4⤵
- Creates scheduled task(s)
PID:15936

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll, Main
4⤵
PID:11620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1112
3⤵
- Program crash
PID:11560

C:\Users\Admin\Pictures\Adobe Films\DtySd5gqVc1rSYqbj9eD3zCY.exe
"C:\Users\Admin\Pictures\Adobe Films\DtySd5gqVc1rSYqbj9eD3zCY.exe"
2⤵
- Executes dropped EXE
PID:1348

C:\Users\Admin\Pictures\Adobe Films\Yu4X5FadVK82oJCmkIZYvX0H.exe
"C:\Users\Admin\Pictures\Adobe Films\Yu4X5FadVK82oJCmkIZYvX0H.exe"
2⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 460
3⤵
- Program crash
PID:11544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 768
3⤵
- Program crash
PID:26160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 776
3⤵
- Program crash
PID:35344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 820
3⤵
- Program crash
PID:38080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 828
3⤵
- Program crash
PID:38216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 836
3⤵
- Program crash
PID:38392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1016
3⤵
- Program crash
PID:38648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1372
3⤵
- Program crash
PID:7244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Yu4X5FadVK82oJCmkIZYvX0H.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Yu4X5FadVK82oJCmkIZYvX0H.exe" & exit
3⤵
PID:7716

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Yu4X5FadVK82oJCmkIZYvX0H.exe" /f
4⤵
- Kills process with taskkill
PID:8876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 656
3⤵
- Program crash
PID:7996

C:\Users\Admin\Pictures\Adobe Films\x7WRabPCfz9ju5ynI2zrfTFB.exe
"C:\Users\Admin\Pictures\Adobe Films\x7WRabPCfz9ju5ynI2zrfTFB.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1476

C:\Users\Admin\Pictures\Adobe Films\krNwUXo33yedkTuE0t9Dkkwx.exe
"C:\Users\Admin\Pictures\Adobe Films\krNwUXo33yedkTuE0t9Dkkwx.exe"
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:38132

C:\Users\Admin\Pictures\Adobe Films\PJ1rV4Q8XaGH_iF3FsGFwIqh.exe
"C:\Users\Admin\Pictures\Adobe Films\PJ1rV4Q8XaGH_iF3FsGFwIqh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6172

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
3⤵
PID:10024

C:\Users\Admin\Pictures\Adobe Films\moyktcClU80V5qeBm4bilFwe.exe
"C:\Users\Admin\Pictures\Adobe Films\moyktcClU80V5qeBm4bilFwe.exe"
2⤵
PID:12152

C:\Users\Admin\AppData\Local\Temp\is-JOTPE.tmp\moyktcClU80V5qeBm4bilFwe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JOTPE.tmp\moyktcClU80V5qeBm4bilFwe.tmp" /SL5="$20182,506127,422400,C:\Users\Admin\Pictures\Adobe Films\moyktcClU80V5qeBm4bilFwe.exe"
3⤵
PID:15044

C:\Users\Admin\AppData\Local\Temp\is-TABK1.tmp\befeduce.exe
"C:\Users\Admin\AppData\Local\Temp\is-TABK1.tmp\befeduce.exe" /S /UID=Irecch4
4⤵
PID:24588

C:\Users\Admin\AppData\Local\Temp\90-f7cfd-4f5-dbc9e-d814542706e81\Vaefuhaelele.exe
"C:\Users\Admin\AppData\Local\Temp\90-f7cfd-4f5-dbc9e-d814542706e81\Vaefuhaelele.exe"
5⤵
PID:38244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
6⤵
PID:7440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff83c3a46f8,0x7ff83c3a4708,0x7ff83c3a4718
7⤵
PID:7504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
7⤵
PID:8724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
7⤵
PID:8812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
7⤵
PID:8852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
7⤵
PID:9184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
7⤵
PID:9312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 /prefetch:8
7⤵
PID:9632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
7⤵
PID:9976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
7⤵
PID:10252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
7⤵
PID:10280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 /prefetch:8
7⤵
PID:10460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
7⤵
PID:11672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
7⤵
PID:11740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff741605460,0x7ff741605470,0x7ff741605480
8⤵
PID:11760

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15224482628405761661,11010301526825479324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
7⤵
PID:12060

C:\Users\Admin\AppData\Local\Temp\b4-4e18d-558-92f81-d3ba4fec26365\Mixaebikuku.exe
"C:\Users\Admin\AppData\Local\Temp\b4-4e18d-558-92f81-d3ba4fec26365\Mixaebikuku.exe"
5⤵
PID:38320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jmyyonue.nqn\installer.exe /qn CAMPAIGN= & exit
6⤵
PID:7320

C:\Users\Admin\AppData\Local\Temp\jmyyonue.nqn\installer.exe
C:\Users\Admin\AppData\Local\Temp\jmyyonue.nqn\installer.exe /qn CAMPAIGN=
7⤵
PID:8616

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN="" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\jmyyonue.nqn\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\jmyyonue.nqn\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1655346423 /qn CAMPAIGN= " CAMPAIGN=""
8⤵
PID:10884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3rhtkdpb.no4\gcleaner.exe /mixfive & exit
6⤵
PID:7432

C:\Users\Admin\AppData\Local\Temp\3rhtkdpb.no4\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\3rhtkdpb.no4\gcleaner.exe /mixfive
7⤵
PID:8796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 456
8⤵
- Program crash
PID:9580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 768
8⤵
- Program crash
PID:10088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 808
8⤵
- Program crash
PID:10244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 796
8⤵
- Program crash
PID:10688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 828
8⤵
- Program crash
PID:10852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 984
8⤵
- Program crash
PID:10924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 1016
8⤵
- Program crash
PID:11016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 1388
8⤵
- Program crash
PID:11276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3rhtkdpb.no4\gcleaner.exe" & exit
8⤵
PID:11332

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
9⤵
- Kills process with taskkill
PID:11504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 704
8⤵
- Program crash
PID:11456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ggb3nmxg.vqx\random.exe & exit
6⤵
PID:8284

C:\Users\Admin\AppData\Local\Temp\ggb3nmxg.vqx\random.exe
C:\Users\Admin\AppData\Local\Temp\ggb3nmxg.vqx\random.exe
7⤵
PID:9704

C:\Users\Admin\AppData\Local\Temp\ggb3nmxg.vqx\random.exe
"C:\Users\Admin\AppData\Local\Temp\ggb3nmxg.vqx\random.exe" help
8⤵
PID:9916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bompxayv.gne\rmaa1045.exe & exit
6⤵
PID:9044

C:\Users\Admin\AppData\Local\Temp\bompxayv.gne\rmaa1045.exe
C:\Users\Admin\AppData\Local\Temp\bompxayv.gne\rmaa1045.exe
7⤵
PID:10112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 10112 -s 872
8⤵
- Program crash
PID:10424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\33d454qu.wwe\installer.exe /qn CAMPAIGN=654 & exit
6⤵
PID:9592

C:\Users\Admin\AppData\Local\Temp\33d454qu.wwe\installer.exe
C:\Users\Admin\AppData\Local\Temp\33d454qu.wwe\installer.exe /qn CAMPAIGN=654
7⤵
PID:1536

C:\Program Files\Windows Photo Viewer\CTGWEIQGUF\irecord.exe
"C:\Program Files\Windows Photo Viewer\CTGWEIQGUF\irecord.exe" /VERYSILENT
5⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\is-VFVG2.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VFVG2.tmp\irecord.tmp" /SL5="$D0028,5808768,66560,C:\Program Files\Windows Photo Viewer\CTGWEIQGUF\irecord.exe" /VERYSILENT
6⤵
PID:7060

C:\Program Files (x86)\i-record\I-Record.exe
"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
7⤵
PID:7652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4508 -ip 4508
1⤵
PID:10012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3444 -ip 3444
1⤵
PID:11044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4812 -ip 4812
1⤵
PID:9736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 9948 -ip 9948
1⤵
PID:11072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4812 -ip 4812
1⤵
PID:25216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2952 -ip 2952
1⤵
PID:28168

C:\Windows\SysWOW64\yzdlsgvx\tfhxjapm.exe
C:\Windows\SysWOW64\yzdlsgvx\tfhxjapm.exe /d"C:\Users\Admin\Pictures\Adobe Films\EpTNM_CFOQOK6FBpow6yDWQT.exe"
1⤵
PID:29072

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:34628

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
3⤵
PID:8008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 29072 -s 564
2⤵
- Program crash
PID:37576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4812 -ip 4812
1⤵
PID:34152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 29072 -ip 29072
1⤵
PID:35760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4812 -ip 4812
1⤵
PID:38028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4812 -ip 4812
1⤵
PID:38168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4812 -ip 4812
1⤵
PID:38364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4812 -ip 4812
1⤵
PID:38564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1116 -ip 1116
1⤵
PID:38836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4812 -ip 4812
1⤵
PID:7000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3012 -ip 3012
1⤵
PID:7680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4812 -ip 4812
1⤵
PID:7792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 8796 -ip 8796
1⤵
PID:9444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4400 -ip 4400
1⤵
PID:9812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 8796 -ip 8796
1⤵
PID:9892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8796 -ip 8796
1⤵
PID:2932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3588

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 18B5DBCB4EE5F004DBA2DC3A3CC1F769 C
2⤵
PID:10652

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 23B1E1A25279505D06548B80044BE7BC
2⤵
PID:11152

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:11208

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A44F51F636B6CC79ED2595588C57765A E Global\MSI0000
2⤵
PID:11772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 10112 -ip 10112
1⤵
PID:10300

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:10548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:10596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10596 -s 600
3⤵
- Program crash
PID:10700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 8796 -ip 8796
1⤵
PID:10628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 10596 -ip 10596
1⤵
PID:10668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8796 -ip 8796
1⤵
PID:10836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 8796 -ip 8796
1⤵
PID:10908

C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe
1⤵
PID:10964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8796 -ip 8796
1⤵
PID:10996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8796 -ip 8796
1⤵
PID:9928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 8796 -ip 8796
1⤵
PID:11352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\CTGWEIQGUF\irecord.exe
Filesize
5.8MB

MD5
f3e69396bfcb70ee59a828705593171a

SHA1
d4df6a67e0f7af5385613256dbf485e1f2886c55

SHA256
c970b8146afbd7347f5488fd821ae6ade4f355dcb29d764b7834ce8a1754105f

SHA512
4743b9bf562c1b8616f794493123160de95ba15451affacf286aff6d2af023a07d7942a8753c3fdccf8d294f99b46adee8ac58f6a29d42dea973a9de6a77d22f

Download Submit
C:\Program Files\Windows Photo Viewer\CTGWEIQGUF\irecord.exe
Filesize
5.8MB

MD5
f3e69396bfcb70ee59a828705593171a

SHA1
d4df6a67e0f7af5385613256dbf485e1f2886c55

SHA256
c970b8146afbd7347f5488fd821ae6ade4f355dcb29d764b7834ce8a1754105f

SHA512
4743b9bf562c1b8616f794493123160de95ba15451affacf286aff6d2af023a07d7942a8753c3fdccf8d294f99b46adee8ac58f6a29d42dea973a9de6a77d22f

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
506B

MD5
a856f68d5f890571edc355d38043a8a5

SHA1
1343b0dc58c13de95ec15dd345f04850c3ee3c88

SHA256
21f89f450409d5684558c2daffa635e0dc309b2f1a0110c5799306eabb09412e

SHA512
8ac2553834dd710b6b9258997efdcbe6deb798b1465da8976aed08fe07790daf6ba78c5eb59bb1cc2808ae0ad84b3a4cdd09cc10c3cf80df1290efdd9417b6ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
248B

MD5
e58b675bec60eab3717463dc998ff8cf

SHA1
fba37ca638d6c7dcbcdfb43477d9ca559455c929

SHA256
9b0c9d698f0e19998a970d9b13ebe1bb6359be8fd435ad1e2e2e3a0db6437378

SHA512
7a1107d15dfadd644183b108b9440845f5cc8a0671385df26b267e6afc75318042f37245003bbecd8aaa21b13801dbca03c7dc05c08106edd89a607eee58869d

Download Submit
C:\Users\Admin\AppData\Local\4ee0d87c-351d-45a5-9978-33019cd85ae8\gOWzadDxQqKzMmAqlXNsx66j.exe
Filesize
733KB

MD5
052e6ee150a4b200ac99ebacdfe570bf

SHA1
e7955a990da9c4a791589af7b7cc4ec39a2ae6fc

SHA256
fbf677a39a0d77816ac70facdf55661838774ef22270f521fb12f17f09822347

SHA512
37a3e6742cd9e93bfb8d1e32dfba439f274681c267581c5a9e9c3721f8f36b8bed59d3bc06a3e41c88d2e1891ce2ba72d5eddd108f4e5bafe28c38e58bf9bd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\90-f7cfd-4f5-dbc9e-d814542706e81\Vaefuhaelele.exe
Filesize
575KB

MD5
b78cd54e9952b21140da7471ad414416

SHA1
6d017b99742c9af216189bc38f06661bfc9d37f3

SHA256
3168662154acbaad4d0d633d3c64756422447251ca2040bdce74487a7500a067

SHA512
51b12a58894a9e45b8f8e19667c207f06ea8f5ce1978e1564606a1558ad0fb0a4ed69b1504a42f423e811316f7b1d95d5f64d4a38f76c81f45696712db9bd374

Download Submit
C:\Users\Admin\AppData\Local\Temp\90-f7cfd-4f5-dbc9e-d814542706e81\Vaefuhaelele.exe
Filesize
575KB

MD5
b78cd54e9952b21140da7471ad414416

SHA1
6d017b99742c9af216189bc38f06661bfc9d37f3

SHA256
3168662154acbaad4d0d633d3c64756422447251ca2040bdce74487a7500a067

SHA512
51b12a58894a9e45b8f8e19667c207f06ea8f5ce1978e1564606a1558ad0fb0a4ed69b1504a42f423e811316f7b1d95d5f64d4a38f76c81f45696712db9bd374

Download Submit
C:\Users\Admin\AppData\Local\Temp\90-f7cfd-4f5-dbc9e-d814542706e81\Vaefuhaelele.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Questo.ppt
Filesize
9KB

MD5
60ce39b7dffea125651f2b5a31b986c6

SHA1
8901491faec2b65d27a27debc1645714ab460c31

SHA256
dc57c9cd3ba9df84e38aa404abee1fa2ef12c2885ee57a1e655966a70ce867b8

SHA512
c1372502433e78773eef07e990260336a191a2911a61b58e824ff1a4b2643a7e6447be2acea4a0cb076d2c3bd5d1ea65a37b77ca4122e8156cb1997caa32445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
Filesize
19.1MB

MD5
83bd2ad9756ff2555d6111cd53f63c03

SHA1
2079e85b1c1c20e1ff4c715fa16fb122893ac401

SHA256
065598433968e012aae718e0eb67f10943a6875044d1a518545ca6dcb2eb137d

SHA512
8051160f0047bde81936e11adef465c2473ca897477569be04af37f2cb5fdfcd84ecbc4f0e2d66232b9bce81eeafc91c0fbb1366dad53b73413b48fa1d80fa89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~1.EXE
Filesize
19.1MB

MD5
83bd2ad9756ff2555d6111cd53f63c03

SHA1
2079e85b1c1c20e1ff4c715fa16fb122893ac401

SHA256
065598433968e012aae718e0eb67f10943a6875044d1a518545ca6dcb2eb137d

SHA512
8051160f0047bde81936e11adef465c2473ca897477569be04af37f2cb5fdfcd84ecbc4f0e2d66232b9bce81eeafc91c0fbb1366dad53b73413b48fa1d80fa89

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4-4e18d-558-92f81-d3ba4fec26365\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4-4e18d-558-92f81-d3ba4fec26365\Mixaebikuku.exe
Filesize
763KB

MD5
d7bf25d301f074b4b654bdd4a9a40fdf

SHA1
7e52b609b3a96b36cd6a064a3ba54b6733745a7d

SHA256
16312779077ce3e48eb29d11226d87d705aa176aab68adc2cb232ebe495fd956

SHA512
e05b20be918d81a2dd600d955a20fb59820613073a3655c5d4a66936679bb0109740c0b5a4e25316c2066949a6ddc34fe5dd1aca76e628ed62788b58c4e64bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4-4e18d-558-92f81-d3ba4fec26365\Mixaebikuku.exe
Filesize
763KB

MD5
d7bf25d301f074b4b654bdd4a9a40fdf

SHA1
7e52b609b3a96b36cd6a064a3ba54b6733745a7d

SHA256
16312779077ce3e48eb29d11226d87d705aa176aab68adc2cb232ebe495fd956

SHA512
e05b20be918d81a2dd600d955a20fb59820613073a3655c5d4a66936679bb0109740c0b5a4e25316c2066949a6ddc34fe5dd1aca76e628ed62788b58c4e64bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4-4e18d-558-92f81-d3ba4fec26365\Mixaebikuku.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe
Filesize
374KB

MD5
62d9e7a5bef28b6956a663eb64a41d04

SHA1
36c963391da4b6e3bb1f224927e92fe141b34b18

SHA256
c524231c934b85dcc7dce1fbd10e8514f9f10daa78f1ab1a85ef98090307685c

SHA512
714ed6f91d196efdba011c909e163242e49a75b625bcd4297f24a75d593e37d5fd5a58429933706f0cb11933dbc4501a5d54c8404da9ec4273e6d73e737882cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe
Filesize
374KB

MD5
62d9e7a5bef28b6956a663eb64a41d04

SHA1
36c963391da4b6e3bb1f224927e92fe141b34b18

SHA256
c524231c934b85dcc7dce1fbd10e8514f9f10daa78f1ab1a85ef98090307685c

SHA512
714ed6f91d196efdba011c909e163242e49a75b625bcd4297f24a75d593e37d5fd5a58429933706f0cb11933dbc4501a5d54c8404da9ec4273e6d73e737882cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe
Filesize
374KB

MD5
62d9e7a5bef28b6956a663eb64a41d04

SHA1
36c963391da4b6e3bb1f224927e92fe141b34b18

SHA256
c524231c934b85dcc7dce1fbd10e8514f9f10daa78f1ab1a85ef98090307685c

SHA512
714ed6f91d196efdba011c909e163242e49a75b625bcd4297f24a75d593e37d5fd5a58429933706f0cb11933dbc4501a5d54c8404da9ec4273e6d73e737882cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bce0e07065\ftewk.exe
Filesize
374KB

MD5
62d9e7a5bef28b6956a663eb64a41d04

SHA1
36c963391da4b6e3bb1f224927e92fe141b34b18

SHA256
c524231c934b85dcc7dce1fbd10e8514f9f10daa78f1ab1a85ef98090307685c

SHA512
714ed6f91d196efdba011c909e163242e49a75b625bcd4297f24a75d593e37d5fd5a58429933706f0cb11933dbc4501a5d54c8404da9ec4273e6d73e737882cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JOTPE.tmp\moyktcClU80V5qeBm4bilFwe.tmp
Filesize
1.0MB

MD5
1cfdf3c33f022257ec99354fb628f15b

SHA1
6a33446e5c3cd676ab6da31fdf2659d997720052

SHA256
bb698e512539c47b4886c82e39a41fcd1e53eb51f460bfa27c94850dd7cca73c

SHA512
08ea0945d396f61da356eba96c3d8e497c7e38b9b592d771336d2a9823fb0c5bdd960dc3c888dbdbc214869b536f10f5256ebafcfa391e874b6240d1f6e2a49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TABK1.tmp\befeduce.exe
Filesize
413KB

MD5
7d38a8db8def31081984d8900625aa84

SHA1
66836a20128acb5f5835450871fc582b25e23848

SHA256
09317e478bd11c9ad852301f489321e3db89a5a7fbc02039218456eb71b291b6

SHA512
86462202ef9138f798428e09c14fc9f8f13264c4b9c3f79597a3424200bf55e8b2da0770e3442e4dc3d75aeb21ad065181e66c52fb32f20690dff80f9fc5ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TABK1.tmp\befeduce.exe
Filesize
413KB

MD5
7d38a8db8def31081984d8900625aa84

SHA1
66836a20128acb5f5835450871fc582b25e23848

SHA256
09317e478bd11c9ad852301f489321e3db89a5a7fbc02039218456eb71b291b6

SHA512
86462202ef9138f798428e09c14fc9f8f13264c4b9c3f79597a3424200bf55e8b2da0770e3442e4dc3d75aeb21ad065181e66c52fb32f20690dff80f9fc5ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TABK1.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfhxjapm.exe
Filesize
13.0MB

MD5
3ad51a2ae60dcc703fdc7b45ca5e8e7a

SHA1
ff6cb9b1a778b8ad8ab00a10ba476f746c6380bd

SHA256
32555816bb7344900b31e4e0f41c92ee2a73c969968e1fb7c848ced9a5b0d9b1

SHA512
ea977613ddc1bc3b5f4df0bf1b0cd8ef9925bf4e6901c58d6f9a250acdf06ccff15465882d664f380f8793d2ad6f903c741b8284b69ed3d2528791330811d972

Download Submit
C:\Users\Admin\Pictures\Adobe Films\3GtMWETfdWL8wJDSWMqX8xGH.exe
Filesize
374KB

MD5
62d9e7a5bef28b6956a663eb64a41d04

SHA1
36c963391da4b6e3bb1f224927e92fe141b34b18

SHA256
c524231c934b85dcc7dce1fbd10e8514f9f10daa78f1ab1a85ef98090307685c

SHA512
714ed6f91d196efdba011c909e163242e49a75b625bcd4297f24a75d593e37d5fd5a58429933706f0cb11933dbc4501a5d54c8404da9ec4273e6d73e737882cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\3GtMWETfdWL8wJDSWMqX8xGH.exe
Filesize
374KB

MD5
62d9e7a5bef28b6956a663eb64a41d04

SHA1
36c963391da4b6e3bb1f224927e92fe141b34b18

SHA256
c524231c934b85dcc7dce1fbd10e8514f9f10daa78f1ab1a85ef98090307685c

SHA512
714ed6f91d196efdba011c909e163242e49a75b625bcd4297f24a75d593e37d5fd5a58429933706f0cb11933dbc4501a5d54c8404da9ec4273e6d73e737882cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DpbeYJklfMUIg28UmK6zoQZK.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DpbeYJklfMUIg28UmK6zoQZK.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DtySd5gqVc1rSYqbj9eD3zCY.exe
Filesize
4.9MB

MD5
bef3e48a092902d2f7aed20fd28f3ea3

SHA1
8c4cd8731c3747ba32f084918a355f42086561c2

SHA256
ac619068eaff1e2675f250acc4caa2a81831317ca4eaa3f16d188769269c18fe

SHA512
16609dcfae4725c5dcb24a20d7d323e164bc67d9fd5c9542acc952f66fdd5292c79cbf1d840297afd955fcb4b8cd4cb489a53edf2a869c366997aa337f3a1c9f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DtySd5gqVc1rSYqbj9eD3zCY.exe
Filesize
4.9MB

MD5
bef3e48a092902d2f7aed20fd28f3ea3

SHA1
8c4cd8731c3747ba32f084918a355f42086561c2

SHA256
ac619068eaff1e2675f250acc4caa2a81831317ca4eaa3f16d188769269c18fe

SHA512
16609dcfae4725c5dcb24a20d7d323e164bc67d9fd5c9542acc952f66fdd5292c79cbf1d840297afd955fcb4b8cd4cb489a53edf2a869c366997aa337f3a1c9f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EET9n0DAxf4ZSlNn5qqntdp_.exe
Filesize
422KB

MD5
029611472969ed4c36537a02e84b56f7

SHA1
64094114103dcfbe96cc8f153ef53e2af53fc24c

SHA256
ceedb2af8803a96284c2830e73134759a031b53e5635967b12f54d578622be1f

SHA512
bea8169e6375b96c10c2ea98e1451a7c8ba8c82bb98e0a82d98fe79c5aea4d4e699762c321fdd436bc7a7b5f09a72debaadf53d255eb5d880ff2b68ce4dc20f2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EET9n0DAxf4ZSlNn5qqntdp_.exe
Filesize
422KB

MD5
029611472969ed4c36537a02e84b56f7

SHA1
64094114103dcfbe96cc8f153ef53e2af53fc24c

SHA256
ceedb2af8803a96284c2830e73134759a031b53e5635967b12f54d578622be1f

SHA512
bea8169e6375b96c10c2ea98e1451a7c8ba8c82bb98e0a82d98fe79c5aea4d4e699762c321fdd436bc7a7b5f09a72debaadf53d255eb5d880ff2b68ce4dc20f2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EpTNM_CFOQOK6FBpow6yDWQT.exe
Filesize
308KB

MD5
72541f5e94fd59687c7a857bb531872a

SHA1
e22abc6f1ee814ba56d09d9a539adbe2a9698b99

SHA256
a3f9e37db86f9f1e0d9c58246cb3b75af495b6681e596d1a2c05920b56c39eb0

SHA512
4aaab79e38d03d28b8bfac3f9e62741b61193940c3537d269de33432acc9136da428d30de089c7e6fbd75af2a1fda53c376f665ed0c1172aee8542c3647ae689

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EpTNM_CFOQOK6FBpow6yDWQT.exe
Filesize
308KB

MD5
72541f5e94fd59687c7a857bb531872a

SHA1
e22abc6f1ee814ba56d09d9a539adbe2a9698b99

SHA256
a3f9e37db86f9f1e0d9c58246cb3b75af495b6681e596d1a2c05920b56c39eb0

SHA512
4aaab79e38d03d28b8bfac3f9e62741b61193940c3537d269de33432acc9136da428d30de089c7e6fbd75af2a1fda53c376f665ed0c1172aee8542c3647ae689

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Go4CxGCPoSdaYBArUcr9pnvq.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Go4CxGCPoSdaYBArUcr9pnvq.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PJ1rV4Q8XaGH_iF3FsGFwIqh.exe
Filesize
141KB

MD5
c7dc0b7f4d2d9d5d3200d455a57fe94b

SHA1
a129639a4328e229b887734cb87057ae0d6bf68e

SHA256
7f212eca8ab60aef80d8221122f15f71b889ce4a87016defa199419c2e46b4eb

SHA512
da3f6c9b67f8124b7fcf7fbf8d37cc7055c3d2223be68a948f17e67910dc07815cd6439ea5d2b1345d24b5cdeebc73b666aa024c196ca0b021f0bf7de0b42403

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Y38hod3G7JYUd7es9Tzwy54X.exe
Filesize
388KB

MD5
f5de84ab3211e90525346ed1d6e9f40b

SHA1
78770c559bea745f37b3df2a9c7775d111ad975f

SHA256
705385907f46278701a7d3f0e4596cd71e7db8fac05d51a3bd666539dbb65fe7

SHA512
71fc9e948a132a27c9cdeefc8d5bf7eb078cc6b7f262045751c8e794037c61ff02e6195a2aa844d772f84f64b1d85b19b15c6398036bef14de9f675fd86cf9cb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Y38hod3G7JYUd7es9Tzwy54X.exe
Filesize
388KB

MD5
f5de84ab3211e90525346ed1d6e9f40b

SHA1
78770c559bea745f37b3df2a9c7775d111ad975f

SHA256
705385907f46278701a7d3f0e4596cd71e7db8fac05d51a3bd666539dbb65fe7

SHA512
71fc9e948a132a27c9cdeefc8d5bf7eb078cc6b7f262045751c8e794037c61ff02e6195a2aa844d772f84f64b1d85b19b15c6398036bef14de9f675fd86cf9cb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Yu4X5FadVK82oJCmkIZYvX0H.exe
Filesize
361KB

MD5
271c8c89b784021f1446ec1403f69a73

SHA1
c527bede24801d29624db9ce80a6cc72642f113b

SHA256
bd29b479ca0045f128d7e55f2a48221a7d041cb8b833726032dfa4f0ba42e35e

SHA512
aece88dfd0983c3a2caf7c84724f35ae8aa42eac124cfa11ac248283d0b8bb4da404018d1baf4e6d8f24604124c92f3f9dbdbc88ab36a8d849d923c68b7051c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Yu4X5FadVK82oJCmkIZYvX0H.exe
Filesize
361KB

MD5
271c8c89b784021f1446ec1403f69a73

SHA1
c527bede24801d29624db9ce80a6cc72642f113b

SHA256
bd29b479ca0045f128d7e55f2a48221a7d041cb8b833726032dfa4f0ba42e35e

SHA512
aece88dfd0983c3a2caf7c84724f35ae8aa42eac124cfa11ac248283d0b8bb4da404018d1baf4e6d8f24604124c92f3f9dbdbc88ab36a8d849d923c68b7051c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZIZbn6OWtXxRow9wEdPjfsMo.exe
Filesize
864KB

MD5
2f2da09fa18fcf2efe4cd6bd26eea082

SHA1
19fc2d207eeea2576563ebf620a236435d2cdee9

SHA256
dfd6ee6cbb334d8e4dd4ced9224029db2758dcea5ef226be058260b29fa8ff17

SHA512
1ce2efa409d9e78317d303d943119164c54299ca316d5779f113bde85b2a8189b6e01ff8303c4f2d5fd8ee8f38ab515e6a0adddd552caf619d9ad179bb0cde82

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZIZbn6OWtXxRow9wEdPjfsMo.exe
Filesize
864KB

MD5
2f2da09fa18fcf2efe4cd6bd26eea082

SHA1
19fc2d207eeea2576563ebf620a236435d2cdee9

SHA256
dfd6ee6cbb334d8e4dd4ced9224029db2758dcea5ef226be058260b29fa8ff17

SHA512
1ce2efa409d9e78317d303d943119164c54299ca316d5779f113bde85b2a8189b6e01ff8303c4f2d5fd8ee8f38ab515e6a0adddd552caf619d9ad179bb0cde82

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eVp9dkhjfYf18pUipK8h03hw.exe
Filesize
422KB

MD5
fb7caef7b8d31571c9d534d574ce2e35

SHA1
e9d47ec674f337285a9f5a69daebd01d3846989a

SHA256
ae66c624cd4992cb7321b4d482e32443bd1b43da4a7d17d5fef067bba999af3b

SHA512
aa1a758ec251c4b326baef3a8103d664be68951009a9ce73c3b61ed984904e70e2bb0a425a188286dbe218a97bd10285d3b46eaf7941bf9691e1a9ff8ca18eba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eVp9dkhjfYf18pUipK8h03hw.exe
Filesize
422KB

MD5
fb7caef7b8d31571c9d534d574ce2e35

SHA1
e9d47ec674f337285a9f5a69daebd01d3846989a

SHA256
ae66c624cd4992cb7321b4d482e32443bd1b43da4a7d17d5fef067bba999af3b

SHA512
aa1a758ec251c4b326baef3a8103d664be68951009a9ce73c3b61ed984904e70e2bb0a425a188286dbe218a97bd10285d3b46eaf7941bf9691e1a9ff8ca18eba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe
Filesize
733KB

MD5
052e6ee150a4b200ac99ebacdfe570bf

SHA1
e7955a990da9c4a791589af7b7cc4ec39a2ae6fc

SHA256
fbf677a39a0d77816ac70facdf55661838774ef22270f521fb12f17f09822347

SHA512
37a3e6742cd9e93bfb8d1e32dfba439f274681c267581c5a9e9c3721f8f36b8bed59d3bc06a3e41c88d2e1891ce2ba72d5eddd108f4e5bafe28c38e58bf9bd5d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe
Filesize
733KB

MD5
052e6ee150a4b200ac99ebacdfe570bf

SHA1
e7955a990da9c4a791589af7b7cc4ec39a2ae6fc

SHA256
fbf677a39a0d77816ac70facdf55661838774ef22270f521fb12f17f09822347

SHA512
37a3e6742cd9e93bfb8d1e32dfba439f274681c267581c5a9e9c3721f8f36b8bed59d3bc06a3e41c88d2e1891ce2ba72d5eddd108f4e5bafe28c38e58bf9bd5d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gOWzadDxQqKzMmAqlXNsx66j.exe
Filesize
733KB

MD5
052e6ee150a4b200ac99ebacdfe570bf

SHA1
e7955a990da9c4a791589af7b7cc4ec39a2ae6fc

SHA256
fbf677a39a0d77816ac70facdf55661838774ef22270f521fb12f17f09822347

SHA512
37a3e6742cd9e93bfb8d1e32dfba439f274681c267581c5a9e9c3721f8f36b8bed59d3bc06a3e41c88d2e1891ce2ba72d5eddd108f4e5bafe28c38e58bf9bd5d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\krNwUXo33yedkTuE0t9Dkkwx.exe
Filesize
2.2MB

MD5
7ce6a81fe4afb0e13225396a34737da2

SHA1
76164bb2f70a7c413b82f02dc14f01837dea9748

SHA256
7b90dd2a6cdff8a0a36a32fe759b5fe4ca5ed3eefb3f0e482054447ecd3e1ed1

SHA512
4cd8d823a804ed28260c7f96ea3ae102d79d040ffe6e1681cf4885337ace52eb5f53c798744259451e87640f6c0b3d699837d8da3bdba907eb09f0df3efe92d8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\krNwUXo33yedkTuE0t9Dkkwx.exe
Filesize
2.2MB

MD5
7ce6a81fe4afb0e13225396a34737da2

SHA1
76164bb2f70a7c413b82f02dc14f01837dea9748

SHA256
7b90dd2a6cdff8a0a36a32fe759b5fe4ca5ed3eefb3f0e482054447ecd3e1ed1

SHA512
4cd8d823a804ed28260c7f96ea3ae102d79d040ffe6e1681cf4885337ace52eb5f53c798744259451e87640f6c0b3d699837d8da3bdba907eb09f0df3efe92d8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\l7ToVLKA5YaWrg0STsslbBgQ.exe
Filesize
7.0MB

MD5
d928f869e490cc00bf2f923cbfc0fb33

SHA1
c267d3931e3915cedd73c2a44068757eca8c2542

SHA256
cc2b2d6f0a1c4723db17a2849f6fcbd38b75ebe64a9767d0db7694833c2d743a

SHA512
74122181e6d6dab2e16af149ac4785372f9e8a8080fde829884a12808ea63c97bb0e3bc3ad1c67897af0ba5ab954f7f58ac415627bd9a93cd353bc19768e1bf9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\l7ToVLKA5YaWrg0STsslbBgQ.exe
Filesize
7.0MB

MD5
d928f869e490cc00bf2f923cbfc0fb33

SHA1
c267d3931e3915cedd73c2a44068757eca8c2542

SHA256
cc2b2d6f0a1c4723db17a2849f6fcbd38b75ebe64a9767d0db7694833c2d743a

SHA512
74122181e6d6dab2e16af149ac4785372f9e8a8080fde829884a12808ea63c97bb0e3bc3ad1c67897af0ba5ab954f7f58ac415627bd9a93cd353bc19768e1bf9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lMXM3SX5enuzyiO07oa6_6Yz.exe
Filesize
308KB

MD5
17f0056fe8a1f7bef46a465ddedd20fd

SHA1
baa1e81bddf8cb9dff3fcce7182537c3a603f2e3

SHA256
6e4c64ac46488419d8e6330788c02972438145bb5768bce3a491098e94141501

SHA512
d30e48056a18d1680ef3ef0bb4b5a46de572a9db1fb5b160ceafeffcc112733802906e032c466dd09e0f9d6a78341e85428a298da207abee84bc3e96f0a2b375

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lMXM3SX5enuzyiO07oa6_6Yz.exe
Filesize
308KB

MD5
17f0056fe8a1f7bef46a465ddedd20fd

SHA1
baa1e81bddf8cb9dff3fcce7182537c3a603f2e3

SHA256
6e4c64ac46488419d8e6330788c02972438145bb5768bce3a491098e94141501

SHA512
d30e48056a18d1680ef3ef0bb4b5a46de572a9db1fb5b160ceafeffcc112733802906e032c466dd09e0f9d6a78341e85428a298da207abee84bc3e96f0a2b375

Download Submit
C:\Users\Admin\Pictures\Adobe Films\moyktcClU80V5qeBm4bilFwe.exe
Filesize
766KB

MD5
984cdc0f7f2bc6dabccc5da23de60d32

SHA1
3272225357f571c5b4e9b6c945d40b08a0d700ed

SHA256
ccbecba4ce6fdfaecbbf19cb34f1a1a7ba54b00732694d457c6461053132581b

SHA512
51cc950183d09af113ca0f86568f735922c59d84e74839ea4d8cb725206fc6cc1954686dbc84e0e8b16761ef1dc45f61a23d65cb6b91e482faf42da7b1a0eec2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\moyktcClU80V5qeBm4bilFwe.exe
Filesize
766KB

MD5
984cdc0f7f2bc6dabccc5da23de60d32

SHA1
3272225357f571c5b4e9b6c945d40b08a0d700ed

SHA256
ccbecba4ce6fdfaecbbf19cb34f1a1a7ba54b00732694d457c6461053132581b

SHA512
51cc950183d09af113ca0f86568f735922c59d84e74839ea4d8cb725206fc6cc1954686dbc84e0e8b16761ef1dc45f61a23d65cb6b91e482faf42da7b1a0eec2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\thvMNcCipnKXsVakK8PeJVZW.exe
Filesize
374KB

MD5
62d9e7a5bef28b6956a663eb64a41d04

SHA1
36c963391da4b6e3bb1f224927e92fe141b34b18

SHA256
c524231c934b85dcc7dce1fbd10e8514f9f10daa78f1ab1a85ef98090307685c

SHA512
714ed6f91d196efdba011c909e163242e49a75b625bcd4297f24a75d593e37d5fd5a58429933706f0cb11933dbc4501a5d54c8404da9ec4273e6d73e737882cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\thvMNcCipnKXsVakK8PeJVZW.exe
Filesize
374KB

MD5
62d9e7a5bef28b6956a663eb64a41d04

SHA1
36c963391da4b6e3bb1f224927e92fe141b34b18

SHA256
c524231c934b85dcc7dce1fbd10e8514f9f10daa78f1ab1a85ef98090307685c

SHA512
714ed6f91d196efdba011c909e163242e49a75b625bcd4297f24a75d593e37d5fd5a58429933706f0cb11933dbc4501a5d54c8404da9ec4273e6d73e737882cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\x7WRabPCfz9ju5ynI2zrfTFB.exe
Filesize
310KB

MD5
850a386686edcef47cb8038fe7677b18

SHA1
616a64baa67d90e86568a35a671a2d91a851d634

SHA256
73fcc4b74bf7c6ff8d57667b72e4112cac053ee95d84a2ad5ad30dce451535f2

SHA512
b97ea9e5d2c0ab1bbba92683b25b3fd3879b166849bec218c1d3aed32d6128c174e20bb283d63e89e73921611f46cd8263d9f01b4b1c197f17617ded5b3dae1c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\x7WRabPCfz9ju5ynI2zrfTFB.exe
Filesize
310KB

MD5
850a386686edcef47cb8038fe7677b18

SHA1
616a64baa67d90e86568a35a671a2d91a851d634

SHA256
73fcc4b74bf7c6ff8d57667b72e4112cac053ee95d84a2ad5ad30dce451535f2

SHA512
b97ea9e5d2c0ab1bbba92683b25b3fd3879b166849bec218c1d3aed32d6128c174e20bb283d63e89e73921611f46cd8263d9f01b4b1c197f17617ded5b3dae1c

Download Submit
C:\Windows\SysWOW64\yzdlsgvx\tfhxjapm.exe
Filesize
13.0MB

MD5
3ad51a2ae60dcc703fdc7b45ca5e8e7a

SHA1
ff6cb9b1a778b8ad8ab00a10ba476f746c6380bd

SHA256
32555816bb7344900b31e4e0f41c92ee2a73c969968e1fb7c848ced9a5b0d9b1

SHA512
ea977613ddc1bc3b5f4df0bf1b0cd8ef9925bf4e6901c58d6f9a250acdf06ccff15465882d664f380f8793d2ad6f903c741b8284b69ed3d2528791330811d972

Download Submit
\??\c:\users\admin\appdata\local\temp\is-jotpe.tmp\moyktcclu80v5qebm4bilfwe.tmp
Filesize
1.0MB

MD5
1cfdf3c33f022257ec99354fb628f15b

SHA1
6a33446e5c3cd676ab6da31fdf2659d997720052

SHA256
bb698e512539c47b4886c82e39a41fcd1e53eb51f460bfa27c94850dd7cca73c

SHA512
08ea0945d396f61da356eba96c3d8e497c7e38b9b592d771336d2a9823fb0c5bdd960dc3c888dbdbc214869b536f10f5256ebafcfa391e874b6240d1f6e2a49c

Download Submit
memory/1116-251-0x0000000004720000-0x000000000472F000-memory.dmp

Filesize
60KB

Download
memory/1116-337-0x0000000000400000-0x0000000002C6B000-memory.dmp

Filesize
40.4MB

Download
memory/1116-262-0x0000000000400000-0x0000000002C6B000-memory.dmp

Filesize
40.4MB

Download
memory/1116-248-0x0000000002C9D000-0x0000000002CAB000-memory.dmp

Filesize
56KB

Download
memory/1116-339-0x0000000002C9D000-0x0000000002CAB000-memory.dmp

Filesize
56KB

Download
memory/1116-155-0x0000000000000000-mapping.dmp

Download
memory/1348-229-0x0000000000400000-0x0000000000BE7000-memory.dmp

Filesize
7.9MB

Download
memory/1348-146-0x0000000000000000-mapping.dmp

Download
memory/1348-182-0x0000000000400000-0x0000000000BE7000-memory.dmp

Filesize
7.9MB

Download
memory/1476-241-0x0000000002EC0000-0x0000000002EC9000-memory.dmp

Filesize
36KB

Download
memory/1476-239-0x0000000002F5D000-0x0000000002F6B000-memory.dmp

Filesize
56KB

Download
memory/1476-249-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/1476-175-0x0000000000000000-mapping.dmp

Download
memory/1512-131-0x0000000000000000-mapping.dmp

Download
memory/1964-135-0x0000000000000000-mapping.dmp

Download
memory/2384-130-0x00000000040C0000-0x000000000427E000-memory.dmp

Filesize
1.7MB

Download
memory/2384-284-0x00000000040C0000-0x000000000427E000-memory.dmp

Filesize
1.7MB

Download
memory/2384-134-0x00000000040C0000-0x000000000427E000-memory.dmp

Filesize
1.7MB

Download
memory/2656-174-0x0000000000000000-mapping.dmp

Download
memory/2952-380-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/2952-271-0x0000000002E4D000-0x0000000002E5A000-memory.dmp

Filesize
52KB

Download
memory/2952-272-0x0000000002D70000-0x0000000002D83000-memory.dmp

Filesize
76KB

Download
memory/2952-274-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/2952-150-0x0000000000000000-mapping.dmp

Download
memory/3012-180-0x0000000002E90000-0x0000000002EC7000-memory.dmp

Filesize
220KB

Download
memory/3012-200-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/3012-179-0x0000000002DAD000-0x0000000002DD7000-memory.dmp

Filesize
168KB

Download
memory/3012-238-0x00000000083B0000-0x0000000008442000-memory.dmp

Filesize
584KB

Download
memory/3012-244-0x0000000008650000-0x00000000086B6000-memory.dmp

Filesize
408KB

Download
memory/3012-184-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/3012-138-0x0000000000000000-mapping.dmp

Download
memory/3012-363-0x0000000002DAD000-0x0000000002DD7000-memory.dmp

Filesize
168KB

Download
memory/3012-212-0x0000000008030000-0x000000000806C000-memory.dmp

Filesize
240KB

Download
memory/3012-240-0x00000000085E0000-0x00000000085FE000-memory.dmp

Filesize
120KB

Download
memory/3032-224-0x0000000000040000-0x0000000000B50000-memory.dmp

Filesize
11.1MB

Download
memory/3032-209-0x0000000000040000-0x0000000000B50000-memory.dmp

Filesize
11.1MB

Download
memory/3032-154-0x0000000000000000-mapping.dmp

Download
memory/3444-264-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/3444-256-0x0000000002E1D000-0x0000000002E3B000-memory.dmp

Filesize
120KB

Download
memory/3444-152-0x0000000000000000-mapping.dmp

Download
memory/3684-183-0x0000000000000000-mapping.dmp

Download
memory/4400-219-0x0000000000400000-0x0000000002C88000-memory.dmp

Filesize
40.5MB

Download
memory/4400-194-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/4400-206-0x00000000048F0000-0x0000000004927000-memory.dmp

Filesize
220KB

Download
memory/4400-141-0x0000000000000000-mapping.dmp

Download
memory/4400-286-0x0000000002F6D000-0x0000000002F97000-memory.dmp

Filesize
168KB

Download
memory/4400-282-0x0000000009660000-0x0000000009822000-memory.dmp

Filesize
1.8MB

Download
memory/4400-283-0x0000000009830000-0x0000000009D5C000-memory.dmp

Filesize
5.2MB

Download
memory/4400-199-0x0000000007F50000-0x000000000805A000-memory.dmp

Filesize
1.0MB

Download
memory/4400-191-0x0000000007930000-0x0000000007F48000-memory.dmp

Filesize
6.1MB

Download
memory/4432-142-0x0000000000000000-mapping.dmp

Download
memory/4432-202-0x0000000002500000-0x000000000261B000-memory.dmp

Filesize
1.1MB

Download
memory/4432-197-0x000000000246B000-0x00000000024FC000-memory.dmp

Filesize
580KB

Download
memory/4508-230-0x0000000002E2D000-0x0000000002E4B000-memory.dmp

Filesize
120KB

Download
memory/4508-243-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/4508-149-0x0000000000000000-mapping.dmp

Download
memory/4508-232-0x00000000047B0000-0x00000000047E8000-memory.dmp

Filesize
224KB

Download
memory/4552-153-0x0000000000000000-mapping.dmp

Download
memory/4812-366-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4812-365-0x00000000007DD000-0x0000000000803000-memory.dmp

Filesize
152KB

Download
memory/4812-247-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4812-246-0x0000000000720000-0x000000000075F000-memory.dmp

Filesize
252KB

Download
memory/4812-143-0x0000000000000000-mapping.dmp

Download
memory/4812-245-0x00000000007DD000-0x0000000000803000-memory.dmp

Filesize
152KB

Download
memory/4984-151-0x0000000000000000-mapping.dmp

Download
memory/4984-368-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/4984-306-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4984-267-0x000000000093D000-0x0000000000969000-memory.dmp

Filesize
176KB

Download
memory/4984-268-0x00000000008D0000-0x000000000091B000-memory.dmp

Filesize
300KB

Download
memory/4984-270-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/5700-196-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5700-188-0x0000000000000000-mapping.dmp

Download
memory/5700-265-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5700-189-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5700-193-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5828-331-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5828-329-0x0000000000000000-mapping.dmp

Download
memory/5828-334-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/6172-190-0x0000000000000000-mapping.dmp

Download
memory/7060-335-0x0000000000000000-mapping.dmp

Download
memory/7320-341-0x0000000000000000-mapping.dmp

Download
memory/7432-347-0x0000000000000000-mapping.dmp

Download
memory/7440-349-0x0000000000000000-mapping.dmp

Download
memory/7504-352-0x0000000000000000-mapping.dmp

Download
memory/7652-355-0x0000000000000000-mapping.dmp

Download
memory/7652-369-0x0000000005850000-0x0000000005AC1000-memory.dmp

Filesize
2.4MB

Download
memory/7716-358-0x0000000000000000-mapping.dmp

Download
memory/7900-195-0x0000000000000000-mapping.dmp

Download
memory/8008-370-0x0000000000ED0000-0x0000000000FC1000-memory.dmp

Filesize
964KB

Download
memory/8008-367-0x0000000000000000-mapping.dmp

Download
memory/8120-381-0x0000000000000000-mapping.dmp

Download
memory/8284-379-0x0000000000000000-mapping.dmp

Download
memory/8616-390-0x0000000000000000-mapping.dmp

Download
memory/8628-391-0x0000000000000000-mapping.dmp

Download
memory/8724-396-0x0000000000000000-mapping.dmp

Download
memory/8796-400-0x0000000000000000-mapping.dmp

Download
memory/8812-397-0x0000000000000000-mapping.dmp

Download
memory/8852-404-0x0000000000000000-mapping.dmp

Download
memory/8876-405-0x0000000000000000-mapping.dmp

Download
memory/8960-201-0x0000000000000000-mapping.dmp

Download
memory/8984-204-0x0000000000000000-mapping.dmp

Download
memory/9044-406-0x0000000000000000-mapping.dmp

Download
memory/9184-411-0x0000000000000000-mapping.dmp

Download
memory/9264-205-0x0000000000000000-mapping.dmp

Download
memory/9264-287-0x0000000002F8C000-0x0000000002FAA000-memory.dmp

Filesize
120KB

Download
memory/9264-279-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/9312-413-0x0000000000000000-mapping.dmp

Download
memory/9948-208-0x0000000000000000-mapping.dmp

Download
memory/9948-255-0x0000000002DC1000-0x0000000002DDF000-memory.dmp

Filesize
120KB

Download
memory/9948-266-0x0000000000400000-0x0000000002C7C000-memory.dmp

Filesize
40.5MB

Download
memory/10024-217-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/10024-218-0x00000000050F0000-0x0000000005166000-memory.dmp

Filesize
472KB

Download
memory/10024-327-0x0000000005500000-0x0000000005550000-memory.dmp

Filesize
320KB

Download
memory/10024-210-0x0000000000000000-mapping.dmp

Download
memory/11064-213-0x0000000000000000-mapping.dmp

Download
memory/11780-259-0x0000000000000000-mapping.dmp

Download
memory/12136-220-0x0000000000000000-mapping.dmp

Download
memory/12152-226-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/12152-338-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/12152-221-0x0000000000000000-mapping.dmp

Download
memory/12152-280-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/14456-231-0x0000000000000000-mapping.dmp

Download
memory/15044-234-0x0000000000000000-mapping.dmp

Download
memory/15052-233-0x0000000000000000-mapping.dmp

Download
memory/15936-236-0x0000000000000000-mapping.dmp

Download
memory/18592-242-0x0000000000000000-mapping.dmp

Download
memory/23564-250-0x0000000000000000-mapping.dmp

Download
memory/24588-253-0x0000000000000000-mapping.dmp

Download
memory/24588-260-0x00007FF83CC00000-0x00007FF83D636000-memory.dmp

Filesize
10.2MB

Download
memory/24600-254-0x0000000000000000-mapping.dmp

Download
memory/27244-263-0x0000000000000000-mapping.dmp

Download
memory/29072-281-0x0000000002D19000-0x0000000002D27000-memory.dmp

Filesize
56KB

Download
memory/29072-285-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/33968-273-0x0000000000000000-mapping.dmp

Download
memory/34628-275-0x0000000000000000-mapping.dmp

Download
memory/34628-361-0x00000000031E0000-0x00000000031E7000-memory.dmp

Filesize
28KB

Download
memory/34628-353-0x00000000031D0000-0x00000000031D5000-memory.dmp

Filesize
20KB

Download
memory/34628-348-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/34628-344-0x00000000021A0000-0x00000000021A6000-memory.dmp

Filesize
24KB

Download
memory/34628-340-0x0000000002E00000-0x000000000300F000-memory.dmp

Filesize
2.1MB

Download
memory/34628-276-0x0000000000E30000-0x0000000000E45000-memory.dmp

Filesize
84KB

Download
memory/34628-288-0x0000000000E30000-0x0000000000E45000-memory.dmp

Filesize
84KB

Download
memory/34628-357-0x0000000007E00000-0x000000000820B000-memory.dmp

Filesize
4.0MB

Download
memory/38132-290-0x0000000000000000-mapping.dmp

Download
memory/38132-291-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/38244-296-0x0000000000000000-mapping.dmp

Download
memory/38244-300-0x00007FF83CC00000-0x00007FF83D636000-memory.dmp

Filesize
10.2MB

Download
memory/38320-301-0x0000000000000000-mapping.dmp

Download
memory/38320-305-0x00007FF83CC00000-0x00007FF83D636000-memory.dmp

Filesize
10.2MB

Download