glupteba | 19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6

Analysis

max time kernel
157s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe
Size

9.1MB
MD5

3a866f19d4fad0e9d3c75101255209b2
SHA1

5d2b6bfff3834712a8b0e829d778c7b85a67f39e
SHA256

19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6
SHA512

55744c4fba72459074312db790ad05dec8756627655e88fa5e89673203e82679474372520b12620658c1905242c38039bc8313aa954e2ff9aba6cec9ec656edb

Score

10^/10

glupteba metasploit onlylogger redline smokeloader socelars tofsee backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

tofsee

patmushta.info

ovicrush.cn

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1344-171-0x0000000005300000-0x0000000005C26000-memory.dmp	family_glupteba
behavioral2/memory/1344-172-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/1968-175-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/1256-215-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 4044 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	4044	rUNdlL32.eXe

RedLine Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3256-218-0x0000000000040000-0x0000000000271000-memory.dmp	family_redline
behavioral2/memory/3256-229-0x0000000000042000-0x0000000000078000-memory.dmp	family_redline
behavioral2/memory/3256-219-0x0000000000042000-0x0000000000078000-memory.dmp	family_redline
behavioral2/memory/3256-240-0x0000000000040000-0x0000000000271000-memory.dmp	family_redline
behavioral2/memory/3256-242-0x0000000000040000-0x0000000000271000-memory.dmp	family_redline
behavioral2/memory/1656-244-0x0000000000DF0000-0x0000000000EE4000-memory.dmp	family_redline
behavioral2/memory/1656-246-0x0000000000DF0000-0x0000000000EE4000-memory.dmp	family_redline
behavioral2/memory/1656-248-0x0000000000DF2000-0x0000000000E25000-memory.dmp	family_redline
behavioral2/memory/5164-258-0x00000000001D0000-0x0000000000387000-memory.dmp	family_redline
behavioral2/memory/1656-280-0x0000000000DF2000-0x0000000000E25000-memory.dmp	family_redline
behavioral2/memory/5164-268-0x00000000001D2000-0x0000000000207000-memory.dmp	family_redline
behavioral2/memory/5164-261-0x00000000001D0000-0x0000000000387000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2188 created 4176	2188	WerFault.exe	rundll32.exe
PID 1252 created 3308	1252	WerFault.exe	geVu_wAoUbI1PuQKJ6bVd7VJ.exe
PID 4608 created 4892	4608	WerFault.exe	KeVFnUVah4Dt4kq5rllnp5Xi.exe
PID 5004 created 1864	5004	WerFault.exe	akYp8s_987TCNI5qcVWLnJJs.exe
PID 1068 created 1552	1068	WerFault.exe	KTua4yTuXa2dTw8UgYaiu0lG.exe
PID 5560 created 5212	5560	WerFault.exe	LTUPgJG9jEJ99QexChjfvceS.exe
PID 5624 created 1864	5624	WerFault.exe	akYp8s_987TCNI5qcVWLnJJs.exe
PID 5744 created 4952	5744	WerFault.exe	I5RY1ztuWRES9ICqj1XbrOUk.exe
PID 5652 created 4892	5652	WerFault.exe	KeVFnUVah4Dt4kq5rllnp5Xi.exe
PID 5548 created 5204	5548	WerFault.exe	TwNbMOClgncA8o1Mhyy11dUy.exe
PID 5512 created 5172	5512	WerFault.exe	lVSghfaLLSn5nVylEfLmiWgz.exe
PID 6132 created 5212	6132	WerFault.exe	LTUPgJG9jEJ99QexChjfvceS.exe
PID 5244 created 5172	5244	WerFault.exe	lVSghfaLLSn5nVylEfLmiWgz.exe
PID 5228 created 5204	5228	WerFault.exe	TwNbMOClgncA8o1Mhyy11dUy.exe
PID 5612 created 3308	5612	WerFault.exe	geVu_wAoUbI1PuQKJ6bVd7VJ.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 4528 created 1344 4528 svchost.exe Info.exe
PID 4528 created 1256 4528 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

description	pid	process	target process
PID 4528 created 1344	4528	svchost.exe	Info.exe
PID 4528 created 1256	4528	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4952-251-0x0000000001AB0000-0x0000000001AF4000-memory.dmp	family_onlylogger
behavioral2/memory/4952-276-0x0000000000400000-0x0000000000447000-memory.dmp	family_onlylogger

Downloads MZ/PE file

Executes dropped EXE 43 IoCs

Processes:

md9_1sjm.exeSoCleanInst.exeFolder.exeInfo.exeUpdbdate.exeFile.exeInstall.exepub2.exeFiles.exeFolder.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exexWutTQqWYWuD_MVjrYDgMFr6.exekATfMtvsx3wTaalPKvoAcxvM.exe1GWbk3mRPAv2fBIYn8CXkoSe.exeKTua4yTuXa2dTw8UgYaiu0lG.exeyy_BkeEzmCGqhSOvciO32pgv.exeI5RY1ztuWRES9ICqj1XbrOUk.exeU9jdj6HzHQBc1yoytxu94sMd.exeyRWrqtm606H6upc_M2XeZO_V.exepdrMk24l1OAtyXj2dapn3nCT.exewan1R7TQ2mLQAeJFG8zvxKbg.exeakYp8s_987TCNI5qcVWLnJJs.exeKeVFnUVah4Dt4kq5rllnp5Xi.exeZXo6T5S8coL_okjGbUHvsTua.exeJrC1zC9AywfbekfFb4sJvmKP.exeyv0lTacURSjC6C6EYAaS4y3k.exeYrCjvldFtaHKRSkzns8dt29c.exegeVu_wAoUbI1PuQKJ6bVd7VJ.exeslPtV4DEdVUaz3s7U7wmBZQh.exexcLWLvltuz7QcXnN9lgtqjWI.exe7ad1ub0OGnVDMRADt5iwyqSe.exeNWJLaZfldSRZdJ8glmj57d_s.exelVSghfaLLSn5nVylEfLmiWgz.exeTwNbMOClgncA8o1Mhyy11dUy.exeLTUPgJG9jEJ99QexChjfvceS.exeslPtV4DEdVUaz3s7U7wmBZQh.exeyRWrqtm606H6upc_M2XeZO_V.exeEZ7k5hn07sqlDWCR84uG6kjR.exeinjector.exeFmMf_auFungmbJ4009DeY0HS.exe

pid	process
3340	md9_1sjm.exe
3276	SoCleanInst.exe
4620	Folder.exe
1344	Info.exe
3484	Updbdate.exe
2256	File.exe
2824	Install.exe
4028	pub2.exe
4884	Files.exe
2388	Folder.exe
2432	jfiag3g_gg.exe
412	jfiag3g_gg.exe
1968	Info.exe
1256	csrss.exe
1560	xWutTQqWYWuD_MVjrYDgMFr6.exe
368	kATfMtvsx3wTaalPKvoAcxvM.exe
3608	1GWbk3mRPAv2fBIYn8CXkoSe.exe
1552	KTua4yTuXa2dTw8UgYaiu0lG.exe
2616	yy_BkeEzmCGqhSOvciO32pgv.exe
4952	I5RY1ztuWRES9ICqj1XbrOUk.exe
2968	U9jdj6HzHQBc1yoytxu94sMd.exe
4212	yRWrqtm606H6upc_M2XeZO_V.exe
2280	pdrMk24l1OAtyXj2dapn3nCT.exe
3136	wan1R7TQ2mLQAeJFG8zvxKbg.exe
1864	akYp8s_987TCNI5qcVWLnJJs.exe
4892	KeVFnUVah4Dt4kq5rllnp5Xi.exe
1304	ZXo6T5S8coL_okjGbUHvsTua.exe
3256	JrC1zC9AywfbekfFb4sJvmKP.exe
444	yv0lTacURSjC6C6EYAaS4y3k.exe
3616	YrCjvldFtaHKRSkzns8dt29c.exe
3308	geVu_wAoUbI1PuQKJ6bVd7VJ.exe
3400	slPtV4DEdVUaz3s7U7wmBZQh.exe
1656	xcLWLvltuz7QcXnN9lgtqjWI.exe
4968	7ad1ub0OGnVDMRADt5iwyqSe.exe
5164	NWJLaZfldSRZdJ8glmj57d_s.exe
5172	lVSghfaLLSn5nVylEfLmiWgz.exe
5204	TwNbMOClgncA8o1Mhyy11dUy.exe
5212	LTUPgJG9jEJ99QexChjfvceS.exe
5324	slPtV4DEdVUaz3s7U7wmBZQh.exe
5352	yRWrqtm606H6upc_M2XeZO_V.exe
2080	EZ7k5hn07sqlDWCR84uG6kjR.exe
5976	injector.exe
5628	FmMf_auFungmbJ4009DeY0HS.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\YrCjvldFtaHKRSkzns8dt29c.exe	upx
C:\Users\Admin\Pictures\Adobe Films\YrCjvldFtaHKRSkzns8dt29c.exe	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Folder.exeFile.exe1GWbk3mRPAv2fBIYn8CXkoSe.exeEZ7k5hn07sqlDWCR84uG6kjR.exe19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	1GWbk3mRPAv2fBIYn8CXkoSe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	EZ7k5hn07sqlDWCR84uG6kjR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exepdrMk24l1OAtyXj2dapn3nCT.exe

pid process

4176 rundll32.exe
2280 pdrMk24l1OAtyXj2dapn3nCT.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4176	rundll32.exe
2280	pdrMk24l1OAtyXj2dapn3nCT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SummerHaze = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

322 ipinfo.io
25 ip-api.com
113 ipinfo.io
114 ipinfo.io
261 ipinfo.io
262 ipinfo.io
321 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

JrC1zC9AywfbekfFb4sJvmKP.exexcLWLvltuz7QcXnN9lgtqjWI.exeNWJLaZfldSRZdJ8glmj57d_s.exe

pid process

3256 JrC1zC9AywfbekfFb4sJvmKP.exe
1656 xcLWLvltuz7QcXnN9lgtqjWI.exe
5164 NWJLaZfldSRZdJ8glmj57d_s.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
322	ipinfo.io
25	ip-api.com
113	ipinfo.io
114	ipinfo.io
261	ipinfo.io
262	ipinfo.io
321	ipinfo.io

pid	process
3256	JrC1zC9AywfbekfFb4sJvmKP.exe
1656	xcLWLvltuz7QcXnN9lgtqjWI.exe
5164	NWJLaZfldSRZdJ8glmj57d_s.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

slPtV4DEdVUaz3s7U7wmBZQh.exeyRWrqtm606H6upc_M2XeZO_V.exe

description	pid	process	target process
PID 3400 set thread context of 5324	3400	slPtV4DEdVUaz3s7U7wmBZQh.exe	slPtV4DEdVUaz3s7U7wmBZQh.exe
PID 4212 set thread context of 5352	4212	yRWrqtm606H6upc_M2XeZO_V.exe	yRWrqtm606H6upc_M2XeZO_V.exe

Drops file in Program Files directory 5 IoCs

Processes:

1GWbk3mRPAv2fBIYn8CXkoSe.exekATfMtvsx3wTaalPKvoAcxvM.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	1GWbk3mRPAv2fBIYn8CXkoSe.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	1GWbk3mRPAv2fBIYn8CXkoSe.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	kATfMtvsx3wTaalPKvoAcxvM.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	kATfMtvsx3wTaalPKvoAcxvM.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	kATfMtvsx3wTaalPKvoAcxvM.exe

Drops file in Windows directory 3 IoCs

Processes:

WerFault.exeInfo.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 60 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4228	4176	WerFault.exe	rundll32.exe
3996	1344	WerFault.exe	Info.exe
4548	1344	WerFault.exe	Info.exe
1232	1344	WerFault.exe	Info.exe
3776	1344	WerFault.exe	Info.exe
4676	1344	WerFault.exe	Info.exe
3992	1344	WerFault.exe	Info.exe
4892	1344	WerFault.exe	Info.exe
4556	1344	WerFault.exe	Info.exe
296	1344	WerFault.exe	Info.exe
1096	1344	WerFault.exe	Info.exe
3108	1344	WerFault.exe	Info.exe
4932	1344	WerFault.exe	Info.exe
2308	1344	WerFault.exe	Info.exe
4576	1344	WerFault.exe	Info.exe
4028	1344	WerFault.exe	Info.exe
4000	1344	WerFault.exe	Info.exe
3068	1344	WerFault.exe	Info.exe
1432	1344	WerFault.exe	Info.exe
992	1344	WerFault.exe	Info.exe
3804	1344	WerFault.exe	Info.exe
4204	1344	WerFault.exe	Info.exe
4224	1968	WerFault.exe	Info.exe
2020	1968	WerFault.exe	Info.exe
3800	1968	WerFault.exe	Info.exe
4856	1968	WerFault.exe	Info.exe
3400	1968	WerFault.exe	Info.exe
3452	1968	WerFault.exe	Info.exe
3436	1968	WerFault.exe	Info.exe
4388	1968	WerFault.exe	Info.exe
1908	1968	WerFault.exe	Info.exe
2980	1968	WerFault.exe	Info.exe
1552	1968	WerFault.exe	Info.exe
1936	1968	WerFault.exe	Info.exe
1716	1968	WerFault.exe	Info.exe
2484	1968	WerFault.exe	Info.exe
616	1968	WerFault.exe	Info.exe
1988	1968	WerFault.exe	Info.exe
3004	1256	WerFault.exe	csrss.exe
4508	1256	WerFault.exe	csrss.exe
604	1256	WerFault.exe	csrss.exe
432	1256	WerFault.exe	csrss.exe
3256	1256	WerFault.exe	csrss.exe
2968	1256	WerFault.exe	csrss.exe
3136	1256	WerFault.exe	csrss.exe
2260	1256	WerFault.exe	csrss.exe
620	1256	WerFault.exe	csrss.exe
3928	1256	WerFault.exe	csrss.exe
1988	1256	WerFault.exe	csrss.exe
2456	1256	WerFault.exe	csrss.exe
3308	1256	WerFault.exe	csrss.exe
5692	3308	WerFault.exe	geVu_wAoUbI1PuQKJ6bVd7VJ.exe
6100	1864	WerFault.exe	akYp8s_987TCNI5qcVWLnJJs.exe
4748	1256	WerFault.exe	csrss.exe
4316	4952	WerFault.exe	I5RY1ztuWRES9ICqj1XbrOUk.exe
6140	1864	WerFault.exe	akYp8s_987TCNI5qcVWLnJJs.exe
1748	5172	WerFault.exe	lVSghfaLLSn5nVylEfLmiWgz.exe
4848	1256	WerFault.exe	csrss.exe
1936	1256	WerFault.exe	csrss.exe
1704	5204	WerFault.exe	TwNbMOClgncA8o1Mhyy11dUy.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exeyRWrqtm606H6upc_M2XeZO_V.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	yRWrqtm606H6upc_M2XeZO_V.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	yRWrqtm606H6upc_M2XeZO_V.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	yRWrqtm606H6upc_M2XeZO_V.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3460 schtasks.exe
5800 schtasks.exe
5684 schtasks.exe

pid	process
3460	schtasks.exe
5800	schtasks.exe
5684	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1996 taskkill.exe

pid	process
1996	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Info.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

File.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	File.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	File.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
4028	pub2.exe
4028	pub2.exe
412	jfiag3g_gg.exe
412	jfiag3g_gg.exe
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2712
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exeyRWrqtm606H6upc_M2XeZO_V.exe

pid process

4028 pub2.exe
5352 yRWrqtm606H6upc_M2XeZO_V.exe

pid	process
2712

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exemd9_1sjm.exeWerFault.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3276	SoCleanInst.exe
Token: SeCreateTokenPrivilege	2824	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2824	Install.exe
Token: SeLockMemoryPrivilege	2824	Install.exe
Token: SeIncreaseQuotaPrivilege	2824	Install.exe
Token: SeMachineAccountPrivilege	2824	Install.exe
Token: SeTcbPrivilege	2824	Install.exe
Token: SeSecurityPrivilege	2824	Install.exe
Token: SeTakeOwnershipPrivilege	2824	Install.exe
Token: SeLoadDriverPrivilege	2824	Install.exe
Token: SeSystemProfilePrivilege	2824	Install.exe
Token: SeSystemtimePrivilege	2824	Install.exe
Token: SeProfSingleProcessPrivilege	2824	Install.exe
Token: SeIncBasePriorityPrivilege	2824	Install.exe
Token: SeCreatePagefilePrivilege	2824	Install.exe
Token: SeCreatePermanentPrivilege	2824	Install.exe
Token: SeBackupPrivilege	2824	Install.exe
Token: SeRestorePrivilege	2824	Install.exe
Token: SeShutdownPrivilege	2824	Install.exe
Token: SeDebugPrivilege	2824	Install.exe
Token: SeAuditPrivilege	2824	Install.exe
Token: SeSystemEnvironmentPrivilege	2824	Install.exe
Token: SeChangeNotifyPrivilege	2824	Install.exe
Token: SeRemoteShutdownPrivilege	2824	Install.exe
Token: SeUndockPrivilege	2824	Install.exe
Token: SeSyncAgentPrivilege	2824	Install.exe
Token: SeEnableDelegationPrivilege	2824	Install.exe
Token: SeManageVolumePrivilege	2824	Install.exe
Token: SeImpersonatePrivilege	2824	Install.exe
Token: SeCreateGlobalPrivilege	2824	Install.exe
Token: 31	2824	Install.exe
Token: 32	2824	Install.exe
Token: 33	2824	Install.exe
Token: 34	2824	Install.exe
Token: 35	2824	Install.exe
Token: SeManageVolumePrivilege	3340	md9_1sjm.exe
Token: SeRestorePrivilege	4228	WerFault.exe
Token: SeBackupPrivilege	4228	WerFault.exe
Token: SeBackupPrivilege	4228	WerFault.exe
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

kATfMtvsx3wTaalPKvoAcxvM.exeyy_BkeEzmCGqhSOvciO32pgv.exeyRWrqtm606H6upc_M2XeZO_V.exeJrC1zC9AywfbekfFb4sJvmKP.exeyv0lTacURSjC6C6EYAaS4y3k.exeZXo6T5S8coL_okjGbUHvsTua.exeakYp8s_987TCNI5qcVWLnJJs.exeKeVFnUVah4Dt4kq5rllnp5Xi.exe1GWbk3mRPAv2fBIYn8CXkoSe.exeI5RY1ztuWRES9ICqj1XbrOUk.exeslPtV4DEdVUaz3s7U7wmBZQh.exegeVu_wAoUbI1PuQKJ6bVd7VJ.exepdrMk24l1OAtyXj2dapn3nCT.exe7ad1ub0OGnVDMRADt5iwyqSe.exexcLWLvltuz7QcXnN9lgtqjWI.exeNWJLaZfldSRZdJ8glmj57d_s.exeslPtV4DEdVUaz3s7U7wmBZQh.exelVSghfaLLSn5nVylEfLmiWgz.exeTwNbMOClgncA8o1Mhyy11dUy.exeLTUPgJG9jEJ99QexChjfvceS.exeKTua4yTuXa2dTw8UgYaiu0lG.exeEZ7k5hn07sqlDWCR84uG6kjR.exe

pid	process
368	kATfMtvsx3wTaalPKvoAcxvM.exe
2616	yy_BkeEzmCGqhSOvciO32pgv.exe
4212	yRWrqtm606H6upc_M2XeZO_V.exe
3256	JrC1zC9AywfbekfFb4sJvmKP.exe
444	yv0lTacURSjC6C6EYAaS4y3k.exe
1304	ZXo6T5S8coL_okjGbUHvsTua.exe
1864	akYp8s_987TCNI5qcVWLnJJs.exe
4892	KeVFnUVah4Dt4kq5rllnp5Xi.exe
3608	1GWbk3mRPAv2fBIYn8CXkoSe.exe
4952	I5RY1ztuWRES9ICqj1XbrOUk.exe
3400	slPtV4DEdVUaz3s7U7wmBZQh.exe
3308	geVu_wAoUbI1PuQKJ6bVd7VJ.exe
2280	pdrMk24l1OAtyXj2dapn3nCT.exe
4968	7ad1ub0OGnVDMRADt5iwyqSe.exe
1656	xcLWLvltuz7QcXnN9lgtqjWI.exe
5164	NWJLaZfldSRZdJ8glmj57d_s.exe
5324	slPtV4DEdVUaz3s7U7wmBZQh.exe
5172	lVSghfaLLSn5nVylEfLmiWgz.exe
5204	TwNbMOClgncA8o1Mhyy11dUy.exe
5212	LTUPgJG9jEJ99QexChjfvceS.exe
1552	KTua4yTuXa2dTw8UgYaiu0lG.exe
2080	EZ7k5hn07sqlDWCR84uG6kjR.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exeFolder.exeFiles.exerUNdlL32.eXeWerFault.exeInstall.execmd.exesvchost.exeInfo.execmd.exeFile.exe

description	pid	process	target process
PID 3068 wrote to memory of 3340	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	md9_1sjm.exe
PID 3068 wrote to memory of 3340	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	md9_1sjm.exe
PID 3068 wrote to memory of 3340	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	md9_1sjm.exe
PID 3068 wrote to memory of 3276	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	SoCleanInst.exe
PID 3068 wrote to memory of 3276	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	SoCleanInst.exe
PID 3068 wrote to memory of 4620	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Folder.exe
PID 3068 wrote to memory of 4620	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Folder.exe
PID 3068 wrote to memory of 4620	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Folder.exe
PID 3068 wrote to memory of 1344	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Info.exe
PID 3068 wrote to memory of 1344	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Info.exe
PID 3068 wrote to memory of 1344	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Info.exe
PID 3068 wrote to memory of 3484	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Updbdate.exe
PID 3068 wrote to memory of 3484	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Updbdate.exe
PID 3068 wrote to memory of 3484	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Updbdate.exe
PID 3068 wrote to memory of 2256	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	File.exe
PID 3068 wrote to memory of 2256	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	File.exe
PID 3068 wrote to memory of 2256	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	File.exe
PID 3068 wrote to memory of 2824	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Install.exe
PID 3068 wrote to memory of 2824	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Install.exe
PID 3068 wrote to memory of 2824	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Install.exe
PID 3068 wrote to memory of 4028	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	pub2.exe
PID 3068 wrote to memory of 4028	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	pub2.exe
PID 3068 wrote to memory of 4028	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	pub2.exe
PID 3068 wrote to memory of 4884	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Files.exe
PID 3068 wrote to memory of 4884	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Files.exe
PID 3068 wrote to memory of 4884	3068	19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe	Files.exe
PID 4620 wrote to memory of 2388	4620	Folder.exe	Folder.exe
PID 4620 wrote to memory of 2388	4620	Folder.exe	Folder.exe
PID 4620 wrote to memory of 2388	4620	Folder.exe	Folder.exe
PID 4884 wrote to memory of 2432	4884	Files.exe	jfiag3g_gg.exe
PID 4884 wrote to memory of 2432	4884	Files.exe	jfiag3g_gg.exe
PID 4884 wrote to memory of 2432	4884	Files.exe	jfiag3g_gg.exe
PID 1880 wrote to memory of 4176	1880	rUNdlL32.eXe	rundll32.exe
PID 1880 wrote to memory of 4176	1880	rUNdlL32.eXe	rundll32.exe
PID 1880 wrote to memory of 4176	1880	rUNdlL32.eXe	rundll32.exe
PID 4884 wrote to memory of 412	4884	Files.exe	jfiag3g_gg.exe
PID 4884 wrote to memory of 412	4884	Files.exe	jfiag3g_gg.exe
PID 4884 wrote to memory of 412	4884	Files.exe	jfiag3g_gg.exe
PID 2188 wrote to memory of 4176	2188	WerFault.exe	rundll32.exe
PID 2188 wrote to memory of 4176	2188	WerFault.exe	rundll32.exe
PID 2824 wrote to memory of 856	2824	Install.exe	cmd.exe
PID 2824 wrote to memory of 856	2824	Install.exe	cmd.exe
PID 2824 wrote to memory of 856	2824	Install.exe	cmd.exe
PID 856 wrote to memory of 1996	856	cmd.exe	taskkill.exe
PID 856 wrote to memory of 1996	856	cmd.exe	taskkill.exe
PID 856 wrote to memory of 1996	856	cmd.exe	taskkill.exe
PID 4528 wrote to memory of 1968	4528	svchost.exe	Info.exe
PID 4528 wrote to memory of 1968	4528	svchost.exe	Info.exe
PID 4528 wrote to memory of 1968	4528	svchost.exe	Info.exe
PID 1968 wrote to memory of 3376	1968	Info.exe	cmd.exe
PID 1968 wrote to memory of 3376	1968	Info.exe	cmd.exe
PID 3376 wrote to memory of 4788	3376	cmd.exe	netsh.exe
PID 3376 wrote to memory of 4788	3376	cmd.exe	netsh.exe
PID 1968 wrote to memory of 1256	1968	Info.exe	csrss.exe
PID 1968 wrote to memory of 1256	1968	Info.exe	csrss.exe
PID 1968 wrote to memory of 1256	1968	Info.exe	csrss.exe
PID 2256 wrote to memory of 1560	2256	File.exe	xWutTQqWYWuD_MVjrYDgMFr6.exe
PID 2256 wrote to memory of 1560	2256	File.exe	xWutTQqWYWuD_MVjrYDgMFr6.exe
PID 2256 wrote to memory of 368	2256	File.exe	kATfMtvsx3wTaalPKvoAcxvM.exe
PID 2256 wrote to memory of 368	2256	File.exe	kATfMtvsx3wTaalPKvoAcxvM.exe
PID 2256 wrote to memory of 368	2256	File.exe	kATfMtvsx3wTaalPKvoAcxvM.exe
PID 2256 wrote to memory of 3608	2256	File.exe	1GWbk3mRPAv2fBIYn8CXkoSe.exe
PID 2256 wrote to memory of 3608	2256	File.exe	1GWbk3mRPAv2fBIYn8CXkoSe.exe
PID 2256 wrote to memory of 3608	2256	File.exe	1GWbk3mRPAv2fBIYn8CXkoSe.exe

C:\Users\Admin\AppData\Local\Temp\19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe
"C:\Users\Admin\AppData\Local\Temp\19aa56dc98677b4838ec221d983bc71579ca6315a90e6aa563c32005be7dc7d6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 368
3⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 376
3⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 376
3⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 604
3⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 696
3⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 696
3⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 728
3⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 736
3⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 752
3⤵
- Program crash
PID:296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 748
3⤵
- Program crash
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 688
3⤵
- Program crash
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 688
3⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 848
3⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 848
3⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 604
3⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 912
3⤵
- Program crash
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 696
3⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 892
3⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 804
3⤵
- Program crash
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 904
3⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 848
3⤵
- Program crash
PID:4204

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 216
4⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 336
4⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 216
4⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 628
4⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 628
4⤵
- Program crash
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 684
4⤵
- Program crash
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 700
4⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 708
4⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 724
4⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 716
4⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 572
4⤵
- Program crash
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 828
4⤵
- Program crash
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 892
4⤵
- Program crash
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 740
4⤵
- Program crash
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 852
4⤵
- Program crash
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 828
4⤵
- Program crash
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:4788

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 368
5⤵
- Program crash
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 372
5⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 372
5⤵
- Program crash
PID:604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 604
5⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 696
5⤵
- Program crash
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 696
5⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 728
5⤵
- Program crash
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 740
5⤵
- Program crash
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 760
5⤵
- Program crash
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 820
5⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 656
5⤵
- Program crash
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 796
5⤵
- Program crash
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 884
5⤵
- Program crash
PID:3308

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1000
5⤵
- Program crash
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1064
5⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1000
5⤵
- Program crash
PID:1936

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5976

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\Pictures\Adobe Films\xWutTQqWYWuD_MVjrYDgMFr6.exe
"C:\Users\Admin\Pictures\Adobe Films\xWutTQqWYWuD_MVjrYDgMFr6.exe"
3⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\Pictures\Adobe Films\kATfMtvsx3wTaalPKvoAcxvM.exe
"C:\Users\Admin\Pictures\Adobe Films\kATfMtvsx3wTaalPKvoAcxvM.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:368

C:\Users\Admin\Pictures\Adobe Films\akYp8s_987TCNI5qcVWLnJJs.exe
"C:\Users\Admin\Pictures\Adobe Films\akYp8s_987TCNI5qcVWLnJJs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 464
4⤵
- Program crash
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 472
4⤵
- Program crash
PID:6140

C:\Users\Admin\Pictures\Adobe Films\ZXo6T5S8coL_okjGbUHvsTua.exe
"C:\Users\Admin\Pictures\Adobe Films\ZXo6T5S8coL_okjGbUHvsTua.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Users\Admin\Pictures\Adobe Films\yv0lTacURSjC6C6EYAaS4y3k.exe
"C:\Users\Admin\Pictures\Adobe Films\yv0lTacURSjC6C6EYAaS4y3k.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:444

C:\Users\Admin\Pictures\Adobe Films\KeVFnUVah4Dt4kq5rllnp5Xi.exe
"C:\Users\Admin\Pictures\Adobe Films\KeVFnUVah4Dt4kq5rllnp5Xi.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Users\Admin\Pictures\Adobe Films\wan1R7TQ2mLQAeJFG8zvxKbg.exe
"C:\Users\Admin\Pictures\Adobe Films\wan1R7TQ2mLQAeJFG8zvxKbg.exe"
3⤵
- Executes dropped EXE
PID:3136

C:\Users\Admin\Pictures\Adobe Films\pdrMk24l1OAtyXj2dapn3nCT.exe
"C:\Users\Admin\Pictures\Adobe Films\pdrMk24l1OAtyXj2dapn3nCT.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Users\Admin\Pictures\Adobe Films\yRWrqtm606H6upc_M2XeZO_V.exe
"C:\Users\Admin\Pictures\Adobe Films\yRWrqtm606H6upc_M2XeZO_V.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Users\Admin\Pictures\Adobe Films\yRWrqtm606H6upc_M2XeZO_V.exe
"C:\Users\Admin\Pictures\Adobe Films\yRWrqtm606H6upc_M2XeZO_V.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5352

C:\Users\Admin\Pictures\Adobe Films\U9jdj6HzHQBc1yoytxu94sMd.exe
"C:\Users\Admin\Pictures\Adobe Films\U9jdj6HzHQBc1yoytxu94sMd.exe"
3⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\Pictures\Adobe Films\I5RY1ztuWRES9ICqj1XbrOUk.exe
"C:\Users\Admin\Pictures\Adobe Films\I5RY1ztuWRES9ICqj1XbrOUk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 636
4⤵
- Program crash
PID:4316

C:\Users\Admin\Pictures\Adobe Films\yy_BkeEzmCGqhSOvciO32pgv.exe
"C:\Users\Admin\Pictures\Adobe Films\yy_BkeEzmCGqhSOvciO32pgv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Users\Admin\Pictures\Adobe Films\KTua4yTuXa2dTw8UgYaiu0lG.exe
"C:\Users\Admin\Pictures\Adobe Films\KTua4yTuXa2dTw8UgYaiu0lG.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Users\Admin\Pictures\Adobe Films\JrC1zC9AywfbekfFb4sJvmKP.exe
"C:\Users\Admin\Pictures\Adobe Films\JrC1zC9AywfbekfFb4sJvmKP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Users\Admin\Pictures\Adobe Films\1GWbk3mRPAv2fBIYn8CXkoSe.exe
"C:\Users\Admin\Pictures\Adobe Films\1GWbk3mRPAv2fBIYn8CXkoSe.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Users\Admin\Documents\EZ7k5hn07sqlDWCR84uG6kjR.exe
"C:\Users\Admin\Documents\EZ7k5hn07sqlDWCR84uG6kjR.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Users\Admin\Pictures\Adobe Films\FmMf_auFungmbJ4009DeY0HS.exe
"C:\Users\Admin\Pictures\Adobe Films\FmMf_auFungmbJ4009DeY0HS.exe"
5⤵
- Executes dropped EXE
PID:5628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5800

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5684

C:\Users\Admin\Pictures\Adobe Films\YrCjvldFtaHKRSkzns8dt29c.exe
"C:\Users\Admin\Pictures\Adobe Films\YrCjvldFtaHKRSkzns8dt29c.exe"
3⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\Pictures\Adobe Films\slPtV4DEdVUaz3s7U7wmBZQh.exe
"C:\Users\Admin\Pictures\Adobe Films\slPtV4DEdVUaz3s7U7wmBZQh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Users\Admin\Pictures\Adobe Films\slPtV4DEdVUaz3s7U7wmBZQh.exe
"C:\Users\Admin\Pictures\Adobe Films\slPtV4DEdVUaz3s7U7wmBZQh.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5324

C:\Users\Admin\Pictures\Adobe Films\geVu_wAoUbI1PuQKJ6bVd7VJ.exe
"C:\Users\Admin\Pictures\Adobe Films\geVu_wAoUbI1PuQKJ6bVd7VJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 464
4⤵
- Program crash
PID:5692

C:\Users\Admin\Pictures\Adobe Films\xcLWLvltuz7QcXnN9lgtqjWI.exe
"C:\Users\Admin\Pictures\Adobe Films\xcLWLvltuz7QcXnN9lgtqjWI.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Users\Admin\Pictures\Adobe Films\7ad1ub0OGnVDMRADt5iwyqSe.exe
"C:\Users\Admin\Pictures\Adobe Films\7ad1ub0OGnVDMRADt5iwyqSe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Users\Admin\Pictures\Adobe Films\LTUPgJG9jEJ99QexChjfvceS.exe
"C:\Users\Admin\Pictures\Adobe Films\LTUPgJG9jEJ99QexChjfvceS.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5212

C:\Users\Admin\Pictures\Adobe Films\TwNbMOClgncA8o1Mhyy11dUy.exe
"C:\Users\Admin\Pictures\Adobe Films\TwNbMOClgncA8o1Mhyy11dUy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 472
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1704

C:\Users\Admin\Pictures\Adobe Films\lVSghfaLLSn5nVylEfLmiWgz.exe
"C:\Users\Admin\Pictures\Adobe Films\lVSghfaLLSn5nVylEfLmiWgz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 472
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1748

C:\Users\Admin\Pictures\Adobe Films\NWJLaZfldSRZdJ8glmj57d_s.exe
"C:\Users\Admin\Pictures\Adobe Films\NWJLaZfldSRZdJ8glmj57d_s.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5164

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4028

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2432

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 600
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4176 -ip 4176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1344 -ip 1344
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1344 -ip 1344
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1344 -ip 1344
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1344 -ip 1344
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1344 -ip 1344
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1344 -ip 1344
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1344 -ip 1344
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1344 -ip 1344
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1344 -ip 1344
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1344 -ip 1344
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1344 -ip 1344
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1344 -ip 1344
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1344 -ip 1344
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1344 -ip 1344
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1344 -ip 1344
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1344 -ip 1344
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1344 -ip 1344
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1344 -ip 1344
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1344 -ip 1344
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1344 -ip 1344
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1344 -ip 1344
1⤵
PID:4816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1968 -ip 1968
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1968 -ip 1968
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1968 -ip 1968
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1968 -ip 1968
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1968 -ip 1968
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1968 -ip 1968
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1968 -ip 1968
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1968 -ip 1968
1⤵
PID:296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1968 -ip 1968
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1968 -ip 1968
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 1968
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1968 -ip 1968
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1968 -ip 1968
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1968 -ip 1968
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1256 -ip 1256
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1256 -ip 1256
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1256 -ip 1256
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1256 -ip 1256
1⤵
PID:608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1256 -ip 1256
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1256 -ip 1256
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1256 -ip 1256
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1256 -ip 1256
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1256 -ip 1256
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1256 -ip 1256
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1256 -ip 1256
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1256 -ip 1256
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1256 -ip 1256
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1256 -ip 1256
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1864 -ip 1864
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3308 -ip 3308
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1256 -ip 1256
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4892 -ip 4892
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1552 -ip 1552
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5204 -ip 5204
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5212 -ip 5212
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1864 -ip 1864
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4892 -ip 4892
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3308 -ip 3308
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5172 -ip 5172
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4952 -ip 4952
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1256 -ip 1256
1⤵
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5204 -ip 5204
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5172 -ip 5172
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5212 -ip 5212
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1256 -ip 1256
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 1256 -ip 1256
1⤵
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1256 -ip 1256
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1256 -ip 1256
1⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1256 -ip 1256
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1256 -ip 1256
1⤵
PID:5648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
2d8ae85a8155eb6e73a00b731bf54927

SHA1
31321387579b747a8524aee33f3ed666a11c59b8

SHA256
b09541e6950cabd94ea006c019fbd732529bcad74e90c8e2c033dc5856eb93a0

SHA512
29cc708326e636800d82d7239ac627b85b8dbcde3be3265a664d1be4798268b7ff170b26c31c3232229e44e9a08db56bd90e24f1910c419587230bd4e8b4ce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
2d8ae85a8155eb6e73a00b731bf54927

SHA1
31321387579b747a8524aee33f3ed666a11c59b8

SHA256
b09541e6950cabd94ea006c019fbd732529bcad74e90c8e2c033dc5856eb93a0

SHA512
29cc708326e636800d82d7239ac627b85b8dbcde3be3265a664d1be4798268b7ff170b26c31c3232229e44e9a08db56bd90e24f1910c419587230bd4e8b4ce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
ef11eb43d9a2a7c19a88710851ce7245

SHA1
d7747af6c7c1f149afeea7cff4e77a9bb4c6b790

SHA256
8e2aacc0889c17e1dc499f64b7772a93cc8bdd0bf4813a7c2a2605e68d0c01a2

SHA512
269c84c964fc2106be2842afc666f659dada44b9d7439be8e5d2b4b4605b87850aca83fab8730cb886aba8b2e3b9df5f2140389481802657e8382477e53a0089

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
ef11eb43d9a2a7c19a88710851ce7245

SHA1
d7747af6c7c1f149afeea7cff4e77a9bb4c6b790

SHA256
8e2aacc0889c17e1dc499f64b7772a93cc8bdd0bf4813a7c2a2605e68d0c01a2

SHA512
269c84c964fc2106be2842afc666f659dada44b9d7439be8e5d2b4b4605b87850aca83fab8730cb886aba8b2e3b9df5f2140389481802657e8382477e53a0089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
a1aa92514ce7b4333ae24ee436bb1f9e

SHA1
0b62cbf66c80a8972ccad005b3321a22bc86f2aa

SHA256
b7e1af7d5710e5402489ad91151ba363a8f6f70bb25f937f906efa35dae7e5da

SHA512
41ddcf05dac05bcecc0e46832da93235d8104501a62b38e164bbf2a53bd0f817f433ae5d867df5131932968679eba49ae342ec27cdb036a89a7099d6ad6a9809

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
a1aa92514ce7b4333ae24ee436bb1f9e

SHA1
0b62cbf66c80a8972ccad005b3321a22bc86f2aa

SHA256
b7e1af7d5710e5402489ad91151ba363a8f6f70bb25f937f906efa35dae7e5da

SHA512
41ddcf05dac05bcecc0e46832da93235d8104501a62b38e164bbf2a53bd0f817f433ae5d867df5131932968679eba49ae342ec27cdb036a89a7099d6ad6a9809

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
9e306b5e8b5b8fdb9a4ee5ea97d8389e

SHA1
c3c046d6162866539c94d052913ced09b368d9ff

SHA256
f749dc9daa53c794da6d63175757987653302a2f81fe0ded12810c6fa7f7ceb6

SHA512
95cf2788b003348e0d06762b3fd21cecdd699e5db9ce0e0b2b5c4590e487aa9110c27a6f109ff00260fe289487a05aae598d137668fcb3be82e1b5b09ed87900

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
56de2ee01318b998f9623f18f83847b7

SHA1
0848aad50d1a4c5633ab1d233ee8068570ec4810

SHA256
2ab633d90e2184cbc3b6d68d772524dd658d7b8f1ca6264371e9cd1384797c81

SHA512
1f0bcb3a493ebdec6e38a2f65a57a4695c4b298a8928fc02e882822c66315138b71fcf9922512b9ecdd806a0c38a8eff1152cefc1f403789c80eabd5686a7c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
56de2ee01318b998f9623f18f83847b7

SHA1
0848aad50d1a4c5633ab1d233ee8068570ec4810

SHA256
2ab633d90e2184cbc3b6d68d772524dd658d7b8f1ca6264371e9cd1384797c81

SHA512
1f0bcb3a493ebdec6e38a2f65a57a4695c4b298a8928fc02e882822c66315138b71fcf9922512b9ecdd806a0c38a8eff1152cefc1f403789c80eabd5686a7c13

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1GWbk3mRPAv2fBIYn8CXkoSe.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1GWbk3mRPAv2fBIYn8CXkoSe.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\I5RY1ztuWRES9ICqj1XbrOUk.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\I5RY1ztuWRES9ICqj1XbrOUk.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JrC1zC9AywfbekfFb4sJvmKP.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JrC1zC9AywfbekfFb4sJvmKP.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KTua4yTuXa2dTw8UgYaiu0lG.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KTua4yTuXa2dTw8UgYaiu0lG.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KeVFnUVah4Dt4kq5rllnp5Xi.exe
MD5
613cf9e8955a522cc9eee171aa81310c

SHA1
37919abbe562bf8b58cebe092cd1751558b7aa6e

SHA256
c2750e33c59443a863e07031379ea0af5bc966c586646eeb182f290aa0ce21c3

SHA512
ce883660d638bb12ee8534e8c7a1a5d5545d250c547430fe0182c0332ec6aed6e97363c307fe12f83c2349938bf81f35820951a638a153bef4407400a9a78688

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KeVFnUVah4Dt4kq5rllnp5Xi.exe
MD5
613cf9e8955a522cc9eee171aa81310c

SHA1
37919abbe562bf8b58cebe092cd1751558b7aa6e

SHA256
c2750e33c59443a863e07031379ea0af5bc966c586646eeb182f290aa0ce21c3

SHA512
ce883660d638bb12ee8534e8c7a1a5d5545d250c547430fe0182c0332ec6aed6e97363c307fe12f83c2349938bf81f35820951a638a153bef4407400a9a78688

Download Submit
C:\Users\Admin\Pictures\Adobe Films\U9jdj6HzHQBc1yoytxu94sMd.exe
MD5
c0fe94a584c658026552ae848edbfd84

SHA1
507c9ae16bb5bebd5b072f09aa097807bb5665ff

SHA256
5340c47a07719d1db92de4786679247876e2aa0197b14fc24a9f7292d0c38880

SHA512
8d9f1976ede385f1b51664c9e9b31cbcf1a7f3347ca7794038d88c7d274ee50aa1513f5bd9c0c1974bca2f6982df860bb36886c60a3f59297fe97086d5c3a620

Download Submit
C:\Users\Admin\Pictures\Adobe Films\U9jdj6HzHQBc1yoytxu94sMd.exe
MD5
c0fe94a584c658026552ae848edbfd84

SHA1
507c9ae16bb5bebd5b072f09aa097807bb5665ff

SHA256
5340c47a07719d1db92de4786679247876e2aa0197b14fc24a9f7292d0c38880

SHA512
8d9f1976ede385f1b51664c9e9b31cbcf1a7f3347ca7794038d88c7d274ee50aa1513f5bd9c0c1974bca2f6982df860bb36886c60a3f59297fe97086d5c3a620

Download Submit
C:\Users\Admin\Pictures\Adobe Films\YrCjvldFtaHKRSkzns8dt29c.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\YrCjvldFtaHKRSkzns8dt29c.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZXo6T5S8coL_okjGbUHvsTua.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZXo6T5S8coL_okjGbUHvsTua.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\akYp8s_987TCNI5qcVWLnJJs.exe
MD5
08d32a3760c694870d4853a1967bdb2a

SHA1
8ef9383dd9cd0f682591856f6b1faaaecfcd0f68

SHA256
9b65ce07b17ab7946646d3801d12b163ce5493304c321f7c54e70d00dd00adba

SHA512
3d5b1472b432fb1a555253d6ded2d77e49969a80049e56a12500a315b4d12a67b65ba2eb93825864432713f46a5c98bd9d5f6d103b82e867c5410df3ab696381

Download Submit
C:\Users\Admin\Pictures\Adobe Films\akYp8s_987TCNI5qcVWLnJJs.exe
MD5
08d32a3760c694870d4853a1967bdb2a

SHA1
8ef9383dd9cd0f682591856f6b1faaaecfcd0f68

SHA256
9b65ce07b17ab7946646d3801d12b163ce5493304c321f7c54e70d00dd00adba

SHA512
3d5b1472b432fb1a555253d6ded2d77e49969a80049e56a12500a315b4d12a67b65ba2eb93825864432713f46a5c98bd9d5f6d103b82e867c5410df3ab696381

Download Submit
C:\Users\Admin\Pictures\Adobe Films\geVu_wAoUbI1PuQKJ6bVd7VJ.exe
MD5
4bd02b59d8c0ae8ba82c88b2dc5b86f5

SHA1
55d00605704a7443fa34990a9f1bcea8de76dfc8

SHA256
96815822baf21cb960841f8578f28fc8a04eaf53b66e9042f95738cf287411b1

SHA512
2ff11d821cd5ee7183ed08a265a7f0746cf204aee1de7d03aa2e2cf51353cafef3a91040ac609d1b017ce9e4253b9ebc2ced366c5e5ba2b98df1a05283b8b679

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kATfMtvsx3wTaalPKvoAcxvM.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kATfMtvsx3wTaalPKvoAcxvM.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pdrMk24l1OAtyXj2dapn3nCT.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pdrMk24l1OAtyXj2dapn3nCT.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wan1R7TQ2mLQAeJFG8zvxKbg.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wan1R7TQ2mLQAeJFG8zvxKbg.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xWutTQqWYWuD_MVjrYDgMFr6.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xWutTQqWYWuD_MVjrYDgMFr6.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yRWrqtm606H6upc_M2XeZO_V.exe
MD5
e2c619e4df9efae139aa54bf735a56e5

SHA1
b068c39af839d36de8bd2dbf20e88911040a71d1

SHA256
d846b8869c379e9f433aebb045f30e371db74878724a811bf47293d967f09924

SHA512
ab753ac0a5ab87170cd21aabe8284b62fa14bac0ad4dcb550ffe8b860bd3d964eb71846f53ceaf97ec231587b91a23b99c1ecc311cf83309d9fd2ec4ab523598

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yRWrqtm606H6upc_M2XeZO_V.exe
MD5
e2c619e4df9efae139aa54bf735a56e5

SHA1
b068c39af839d36de8bd2dbf20e88911040a71d1

SHA256
d846b8869c379e9f433aebb045f30e371db74878724a811bf47293d967f09924

SHA512
ab753ac0a5ab87170cd21aabe8284b62fa14bac0ad4dcb550ffe8b860bd3d964eb71846f53ceaf97ec231587b91a23b99c1ecc311cf83309d9fd2ec4ab523598

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yv0lTacURSjC6C6EYAaS4y3k.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yv0lTacURSjC6C6EYAaS4y3k.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yy_BkeEzmCGqhSOvciO32pgv.exe
MD5
b250d4fe49cae3e023fbe7ae1c61a806

SHA1
55198440aa1e2cba4c6ad11161837507f38ce274

SHA256
0bd7f7151c20df4f1848606ca804f63a17f7dd49f9dc0e4365cba64311500000

SHA512
f07a9cc781e99743e58cddcddef91ac6bbff39378f5dbd642f83a55cae7f75c1e26bae7b3e1d4013f1f4a3838273650f71c396a3d097679c88b9048cee2e283d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yy_BkeEzmCGqhSOvciO32pgv.exe
MD5
b250d4fe49cae3e023fbe7ae1c61a806

SHA1
55198440aa1e2cba4c6ad11161837507f38ce274

SHA256
0bd7f7151c20df4f1848606ca804f63a17f7dd49f9dc0e4365cba64311500000

SHA512
f07a9cc781e99743e58cddcddef91ac6bbff39378f5dbd642f83a55cae7f75c1e26bae7b3e1d4013f1f4a3838273650f71c396a3d097679c88b9048cee2e283d

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
memory/1256-213-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/1256-215-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1344-171-0x0000000005300000-0x0000000005C26000-memory.dmp

Filesize
9.1MB

Download
memory/1344-172-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1344-170-0x0000000004DBD000-0x00000000051F9000-memory.dmp

Filesize
4.2MB

Download
memory/1656-247-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/1656-248-0x0000000000DF2000-0x0000000000E25000-memory.dmp

Filesize
204KB

Download
memory/1656-288-0x0000000074A50000-0x0000000074AD9000-memory.dmp

Filesize
548KB

Download
memory/1656-365-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/1656-244-0x0000000000DF0000-0x0000000000EE4000-memory.dmp

Filesize
976KB

Download
memory/1656-246-0x0000000000DF0000-0x0000000000EE4000-memory.dmp

Filesize
976KB

Download
memory/1656-280-0x0000000000DF2000-0x0000000000E25000-memory.dmp

Filesize
204KB

Download
memory/1656-256-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/1656-241-0x0000000002E50000-0x0000000002E96000-memory.dmp

Filesize
280KB

Download
memory/1864-223-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/1968-174-0x0000000004CA1000-0x00000000050DD000-memory.dmp

Filesize
4.2MB

Download
memory/1968-175-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2256-237-0x0000000003FB0000-0x000000000416D000-memory.dmp

Filesize
1.7MB

Download
memory/2616-250-0x00000000007A0000-0x00000000007AD000-memory.dmp

Filesize
52KB

Download
memory/2616-254-0x00000000007C0000-0x00000000007D3000-memory.dmp

Filesize
76KB

Download
memory/2616-277-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2712-294-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-257-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-279-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2712-290-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-299-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-275-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-274-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/2712-273-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-271-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-270-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-267-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-264-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-235-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

Filesize
84KB

Download
memory/2712-298-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-292-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-291-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-255-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-293-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-297-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-296-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2712-295-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2968-220-0x000000007218E000-0x000000007218F000-memory.dmp

Filesize
4KB

Download
memory/2968-226-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/3136-222-0x0000000000770000-0x000000000083E000-memory.dmp

Filesize
824KB

Download
memory/3136-217-0x000000007218E000-0x000000007218F000-memory.dmp

Filesize
4KB

Download
memory/3136-239-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/3256-230-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3256-243-0x000000007218E000-0x000000007218F000-memory.dmp

Filesize
4KB

Download
memory/3256-240-0x0000000000040000-0x0000000000271000-memory.dmp

Filesize
2.2MB

Download
memory/3256-227-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/3256-229-0x0000000000042000-0x0000000000078000-memory.dmp

Filesize
216KB

Download
memory/3256-216-0x0000000002790000-0x00000000027D6000-memory.dmp

Filesize
280KB

Download
memory/3256-245-0x0000000074A50000-0x0000000074AD9000-memory.dmp

Filesize
548KB

Download
memory/3256-364-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/3256-219-0x0000000000042000-0x0000000000078000-memory.dmp

Filesize
216KB

Download
memory/3256-218-0x0000000000040000-0x0000000000271000-memory.dmp

Filesize
2.2MB

Download
memory/3256-242-0x0000000000040000-0x0000000000271000-memory.dmp

Filesize
2.2MB

Download
memory/3256-221-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3276-135-0x0000000000A40000-0x0000000000A70000-memory.dmp

Filesize
192KB

Download
memory/3308-238-0x0000000002710000-0x0000000002770000-memory.dmp

Filesize
384KB

Download
memory/3340-208-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/3340-207-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/3340-362-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/3340-179-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/3400-263-0x0000000002340000-0x00000000023B1000-memory.dmp

Filesize
452KB

Download
memory/3400-266-0x00000000023C0000-0x0000000002456000-memory.dmp

Filesize
600KB

Download
memory/3484-211-0x000000000240D000-0x000000000242F000-memory.dmp

Filesize
136KB

Download
memory/3484-166-0x0000000006B10000-0x0000000006B22000-memory.dmp

Filesize
72KB

Download
memory/3484-168-0x0000000006B30000-0x0000000006B6C000-memory.dmp

Filesize
240KB

Download
memory/3484-233-0x0000000006BB2000-0x0000000006BB3000-memory.dmp

Filesize
4KB

Download
memory/3484-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-143-0x000000000240D000-0x000000000242F000-memory.dmp

Filesize
136KB

Download
memory/3484-212-0x0000000003FC0000-0x0000000003FF0000-memory.dmp

Filesize
192KB

Download
memory/3484-167-0x0000000007790000-0x000000000789A000-memory.dmp

Filesize
1.0MB

Download
memory/3484-236-0x0000000006BB4000-0x0000000006BB6000-memory.dmp

Filesize
8KB

Download
memory/3484-209-0x000000007218E000-0x000000007218F000-memory.dmp

Filesize
4KB

Download
memory/3484-234-0x0000000006BB3000-0x0000000006BB4000-memory.dmp

Filesize
4KB

Download
memory/3484-165-0x0000000007170000-0x0000000007788000-memory.dmp

Filesize
6.1MB

Download
memory/3484-164-0x0000000006BC0000-0x0000000007164000-memory.dmp

Filesize
5.6MB

Download
memory/3484-210-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/4028-161-0x00000000024F0000-0x00000000024F9000-memory.dmp

Filesize
36KB

Download
memory/4028-160-0x00000000026FD000-0x000000000270E000-memory.dmp

Filesize
68KB

Download
memory/4028-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4028-148-0x00000000026FD000-0x000000000270E000-memory.dmp

Filesize
68KB

Download
memory/4212-253-0x0000000002120000-0x0000000002129000-memory.dmp

Filesize
36KB

Download
memory/4212-252-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/4892-231-0x0000000002790000-0x00000000027F0000-memory.dmp

Filesize
384KB

Download
memory/4952-276-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4952-251-0x0000000001AB0000-0x0000000001AF4000-memory.dmp

Filesize
272KB

Download
memory/4952-249-0x0000000001A80000-0x0000000001AA7000-memory.dmp

Filesize
156KB

Download
memory/5164-289-0x0000000074A50000-0x0000000074AD9000-memory.dmp

Filesize
548KB

Download
memory/5164-258-0x00000000001D0000-0x0000000000387000-memory.dmp

Filesize
1.7MB

Download
memory/5164-261-0x00000000001D0000-0x0000000000387000-memory.dmp

Filesize
1.7MB

Download
memory/5164-262-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/5164-268-0x00000000001D2000-0x0000000000207000-memory.dmp

Filesize
212KB

Download
memory/5164-366-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/5164-278-0x00000000010D0000-0x0000000001116000-memory.dmp

Filesize
280KB

Download
memory/5164-265-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/5204-272-0x00000000027F0000-0x0000000002850000-memory.dmp

Filesize
384KB

Download
memory/5324-259-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/5324-285-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/5324-283-0x00000000008D1000-0x0000000000921000-memory.dmp

Filesize
320KB

Download
memory/5352-260-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download