7c46cbe01e45ad3a89a0e89dbdd74be09710e4be95bdd8f018fb63ccda2e90ef

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe
Size

545KB
MD5

01bf53b04ec2b317ac0ce374747fa249
SHA1

dd39acdc2dd60b2f368d2ed12795af22cff107f8
SHA256

7c46cbe01e45ad3a89a0e89dbdd74be09710e4be95bdd8f018fb63ccda2e90ef
SHA512

d94cc20853e8034e709150db030b72aa7a7fd9803e1baf489057cd527eaaf54d1c50f7dbbb911b8e1bb874f527957e58a9df2b4c2eec5c435f6062dcb958d8b4
SSDEEP

12288:x2+p3SIH+iX7azL0ZK0GY+HCigMxYjBtlhboZn/9arBOIo:x2E3SIeuazYZ8PCnYY1tlhbGnUEIo

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Update.exe

Deletes itself 1 IoCs

pid	Process
920	Update.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\back.url	Update.exe

Executes dropped EXE 64 IoCs

pid	Process
920	Update.exe
3060	Share64.exe
4992	Share64.exe
3332	Share64.exe
2792	Share64.exe
640	Share64.exe
760	Share64.exe
3808	Share64.exe
60	Share64.exe
3808	Share64.exe
1320	Share64.exe
4332	Share64.exe
3820	Share64.exe
3260	Share64.exe
4848	Share64.exe
388	Share64.exe
3380	Share64.exe
3192	Share64.exe
2396	Share64.exe
1588	Share64.exe
1120	Share64.exe
2828	Share64.exe
2336	Share64.exe
3104	Share64.exe
4768	Share64.exe
3028	Share64.exe
3692	Share64.exe
540	Share64.exe
1908	Share64.exe
3104	Share64.exe
3620	Share64.exe
404	Share64.exe
2196	Share64.exe
1372	Share64.exe
4848	Share64.exe
320	Share64.exe
1396	Share64.exe
2828	Share64.exe
4064	Share64.exe
2412	Share64.exe
2596	Share64.exe
1372	Share64.exe
4104	Share64.exe
5076	Share64.exe
1708	Share64.exe
948	Share64.exe
3380	Share64.exe
2060	Share64.exe
5028	Share64.exe
216	Share64.exe
4640	Share64.exe
3524	Share64.exe
4012	Share64.exe
964	Share64.exe
388	Share64.exe
1952	Share64.exe
2436	Share64.exe
4064	Share64.exe
808	Share64.exe
3968	Share64.exe
2320	Share64.exe
4860	Share64.exe
996	Share64.exe
2208	Share64.exe

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	104.238.186.189
Destination IP	130.255.73.90
Destination IP	51.255.48.78
Destination IP	89.18.27.167
Destination IP	31.171.251.118
Destination IP	185.121.177.177

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
1588	3192	WerFault.exe	82
3032	3192	WerFault.exe	82
2604	3192	WerFault.exe	82
1744	3192	WerFault.exe	82
4236	3192	WerFault.exe	82
1340	3192	WerFault.exe	82
3284	3192	WerFault.exe	82
1900	3192	WerFault.exe	82
2208	3192	WerFault.exe	82
1992	3192	WerFault.exe	82
3504	3192	WerFault.exe	82
4532	920	WerFault.exe	107
3524	920	WerFault.exe	107
1680	920	WerFault.exe	107
2668	920	WerFault.exe	107
2480	920	WerFault.exe	107
4068	920	WerFault.exe	107
1248	920	WerFault.exe	107
3968	920	WerFault.exe	107
3576	920	WerFault.exe	107
4472	920	WerFault.exe	107
948	920	WerFault.exe	107
3528	920	WerFault.exe	107
3964	920	WerFault.exe	107
408	920	WerFault.exe	107
708	920	WerFault.exe	107
4884	920	WerFault.exe	107
1100	920	WerFault.exe	107
5108	920	WerFault.exe	107
1368	920	WerFault.exe	107
696	920	WerFault.exe	107
1872	920	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Share64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
1936	msedge.exe
1936	msedge.exe
3772	msedge.exe
3772	msedge.exe
920	Update.exe
920	Update.exe
2728	identity_helper.exe
2728	identity_helper.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe
920	Update.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
920	Update.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 920	3192	2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe	107
PID 3192 wrote to memory of 920	3192	2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe	107
PID 3192 wrote to memory of 920	3192	2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe	107
PID 920 wrote to memory of 3060	920	Update.exe	138
PID 920 wrote to memory of 3060	920	Update.exe	138
PID 920 wrote to memory of 3060	920	Update.exe	138
PID 920 wrote to memory of 4992	920	Update.exe	140
PID 920 wrote to memory of 4992	920	Update.exe	140
PID 920 wrote to memory of 4992	920	Update.exe	140
PID 920 wrote to memory of 3332	920	Update.exe	142
PID 920 wrote to memory of 3332	920	Update.exe	142
PID 920 wrote to memory of 3332	920	Update.exe	142
PID 920 wrote to memory of 2792	920	Update.exe	144
PID 920 wrote to memory of 2792	920	Update.exe	144
PID 920 wrote to memory of 2792	920	Update.exe	144
PID 920 wrote to memory of 640	920	Update.exe	146
PID 920 wrote to memory of 640	920	Update.exe	146
PID 920 wrote to memory of 640	920	Update.exe	146
PID 920 wrote to memory of 760	920	Update.exe	154
PID 920 wrote to memory of 760	920	Update.exe	154
PID 920 wrote to memory of 760	920	Update.exe	154
PID 920 wrote to memory of 3772	920	Update.exe	156
PID 920 wrote to memory of 3772	920	Update.exe	156
PID 3772 wrote to memory of 1740	3772	msedge.exe	157
PID 3772 wrote to memory of 1740	3772	msedge.exe	157
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160
PID 3772 wrote to memory of 4424	3772	msedge.exe	160

C:\Users\Admin\AppData\Local\Temp\2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 552
  2⤵
  - Program crash
  PID:1588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 560
  2⤵
  - Program crash
  PID:3032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 604
  2⤵
  - Program crash
  PID:2604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 624
  2⤵
  - Program crash
  PID:1744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 860
  2⤵
  - Program crash
  PID:4236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 920
  2⤵
  - Program crash
  PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1052
  2⤵
  - Program crash
  PID:3284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1052
  2⤵
  - Program crash
  PID:1900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 864
  2⤵
  - Program crash
  PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1064
  2⤵
  - Program crash
  PID:1992
- C:\Users\Admin\AppData\Roaming\Adobe\Update.exe
  "C:\Users\Admin\AppData\Roaming\Adobe\Update.exe" "C:\Users\Admin\AppData\Local\Temp\2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 548
    3⤵
    - Program crash
    PID:4532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 592
    3⤵
    - Program crash
    PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 600
    3⤵
    - Program crash
    PID:1680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 628
    3⤵
    - Program crash
    PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 644
    3⤵
    - Program crash
    PID:2480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 640
    3⤵
    - Program crash
    PID:4068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 572
    3⤵
    - Program crash
    PID:1248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 580
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 728
    3⤵
    - Program crash
    PID:3576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1108
    3⤵
    - Program crash
    PID:4472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1216
    3⤵
    - Program crash
    PID:948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1252
    3⤵
    - Program crash
    PID:3528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1272
    3⤵
    - Program crash
    PID:3964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1088
    3⤵
    - Program crash
    PID:408
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4992
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3332
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1400
    3⤵
    - Program crash
    PID:708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1664
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1672
    3⤵
    - Program crash
    PID:1100
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bolamavojaca.review/lp/thanks.php
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c73246f8,0x7ff9c7324708,0x7ff9c7324718
      4⤵
      PID:1740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:4424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
      4⤵
      PID:3508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
      4⤵
      PID:880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
      4⤵
      PID:1320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
      4⤵
      PID:1032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
      4⤵
      PID:2368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
      4⤵
      PID:4292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
      4⤵
      PID:116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1684 /prefetch:1
      4⤵
      PID:3840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
      4⤵
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14913399776899820703,11601046333977255701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2592 /prefetch:2
      4⤵
      PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1408
    3⤵
    - Program crash
    PID:5108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1432
    3⤵
    - Program crash
    PID:1368
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:3808
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:60
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3808
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:1320
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:4332
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3820
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3260
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:3380
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3192
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:2396
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:1120
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3104
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4768
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3028
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:540
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1908
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3104
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:3620
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:404
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4848
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:320
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1396
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4064
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2412
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2596
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:1372
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4104
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:5076
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:3380
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2060
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:216
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4640
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3524
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:4012
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:964
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:1952
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4064
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    PID:808
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3968
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4860
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:996
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2208
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1996
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:2288
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4148
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4336
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4552
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4848
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:3596
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:3568
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:1120
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:2264
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3472
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4168
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4812
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4332
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:996
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:3608
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5064
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3492
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:4480
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1452
    3⤵
    - Program crash
    PID:696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1224
    3⤵
    - Program crash
    PID:1872
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    PID:2656
- - C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1236
  2⤵
  - Program crash
  PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3192 -ip 3192
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3192 -ip 3192
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3192 -ip 3192
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3192 -ip 3192
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3192 -ip 3192
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3192 -ip 3192
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3192 -ip 3192
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3192 -ip 3192
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3192 -ip 3192
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3192 -ip 3192
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3192 -ip 3192
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 920 -ip 920
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 920 -ip 920
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 920 -ip 920
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 920 -ip 920
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 920 -ip 920
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 920 -ip 920
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 920 -ip 920
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 920 -ip 920
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 920 -ip 920
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 920 -ip 920
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 920 -ip 920
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 920 -ip 920
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 920 -ip 920
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 920 -ip 920
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 920 -ip 920
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 920 -ip 920
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 920 -ip 920
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 920 -ip 920
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 920 -ip 920
1⤵
PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 920 -ip 920
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 920 -ip 920
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec1b18d9fe647677fe2398693233f340

SHA1
a921a83a44ffec2f6b5af94edac9d3d3b1ab11ef

SHA256
d9287aa0d639d9806a5451fdced666645f193e068a94124f02637024f6907652

SHA512
6057a376c5c5e7c11cab1526e620ca2636f11896ade9cb636814c27284b6ec55d79b65a01b6e3fe479aa712ef5c9988eb698031517798033304f26c96d09e1a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da55c586c7748c3b1d8d665d6e6a96eb

SHA1
c8d146b5fe31a3fcc57cc84dabf906bbaf76a690

SHA256
e54f73187966cf983d27034cb5cddf4c631ebdb577098c5d7bfd17f010b1d88c

SHA512
17714eedece88216f19e5ef7e64d2a75842c2bfe5b4a5cadd4bd0a06084fd89b66e3a980b1c5f33fea99b303fb36ae57848a951f9bcc321d9d6b962a7c8e1566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0079cf5e3833d2eaea9a3abb65756329

SHA1
28d0cac470e44ea57f581d42abd156c7c773c7fc

SHA256
82bb39699df455234cd03ec6fe8e7f5961670b84df600a290748b4a9eeb2113f

SHA512
dae0f07cba8bc932389e2bc224bee9ab15fd4c2040fa3d4b0613ce96c8768c62fc887ea4a02d73b1f32ff5526d97b45baa8b6eee24dd3995608f6efcc929bd8f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe

Filesize
675KB

MD5
59467cb77c1839dfb1b40599edab245a

SHA1
06c67579ac60ab1456daf643c76e30ef7e0566d5

SHA256
c28ea7805a0f17b5427a6763834124e2f84c0db94250d4a84df0c55a6f130589

SHA512
0ee66920fcf551c85560b719b1c5662929ec13ee820da186d5638dfa12ba06ac73b00c0daffd88f200def68e81ebaca7a2f083223ce997ee2f55caea1109273d

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Update.exe

Filesize
545KB

MD5
01bf53b04ec2b317ac0ce374747fa249

SHA1
dd39acdc2dd60b2f368d2ed12795af22cff107f8

SHA256
7c46cbe01e45ad3a89a0e89dbdd74be09710e4be95bdd8f018fb63ccda2e90ef

SHA512
d94cc20853e8034e709150db030b72aa7a7fd9803e1baf489057cd527eaaf54d1c50f7dbbb911b8e1bb874f527957e58a9df2b4c2eec5c435f6062dcb958d8b4

Download Submit
memory/60-147-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/216-610-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/320-451-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/388-236-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/388-675-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/404-410-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/540-367-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/640-69-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/760-101-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/920-521-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/920-441-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/920-160-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/920-49-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/920-17-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/920-298-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/920-237-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/948-569-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/964-665-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1120-287-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1320-170-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1372-520-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1372-430-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1396-461-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1588-277-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1708-551-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1908-378-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2060-589-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2196-420-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2336-308-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2396-267-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2412-500-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2596-510-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2792-59-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2828-480-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2828-297-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3028-347-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3060-28-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3104-388-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3104-327-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3192-16-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3192-257-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3192-2-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3192-1-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/3260-216-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3332-48-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3380-579-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3380-247-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3524-629-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3620-400-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3692-357-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3808-115-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3808-159-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3820-192-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4012-656-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4064-490-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4104-531-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4332-182-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4640-620-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4768-337-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4848-440-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4848-226-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4992-38-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/5028-600-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/5076-541-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download