glupteba | 15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf

Analysis

max time kernel
113s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe
Size

8.2MB
MD5

2c0b55f9caebeb5a4c1b11e9ff8a7362
SHA1

e039ba7000da23e612a6f17e7eafee0c7ab85a93
SHA256

15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf
SHA512

2eaf38bbc006435e28c1920ae8a65d1b4562ef26eb07e940085c18f87e2a12bed158df6a3bb1022698b1a867f5965e60411b053973fceb40b79d145b4ae6f404

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

1c0fad6805a0f65d7b597130eb9f089ffbe9857d

Attributes

url4cnc
http://194.180.191.241/capibar
http://103.155.93.35/capibar
https://t.me/capibar

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4332-172-0x0000000002CF0000-0x0000000003617000-memory.dmp	family_glupteba
behavioral2/memory/4332-173-0x0000000000400000-0x0000000000D42000-memory.dmp	family_glupteba
behavioral2/memory/2536-177-0x0000000000400000-0x0000000000D42000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 3936 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3936	rUNdlL32.eXe

RedLine Payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2212-209-0x0000000000C50000-0x0000000000E81000-memory.dmp	family_redline
behavioral2/memory/3180-214-0x00000000008E0000-0x00000000009D4000-memory.dmp	family_redline
behavioral2/memory/3180-217-0x00000000008E0000-0x00000000009D4000-memory.dmp	family_redline
behavioral2/memory/2212-219-0x0000000000C50000-0x0000000000E81000-memory.dmp	family_redline
behavioral2/memory/760-221-0x0000000000980000-0x0000000000B37000-memory.dmp	family_redline
behavioral2/memory/760-220-0x0000000000980000-0x0000000000B37000-memory.dmp	family_redline
behavioral2/memory/3180-226-0x00000000008E0000-0x00000000009D4000-memory.dmp	family_redline
behavioral2/memory/760-230-0x0000000000980000-0x0000000000B37000-memory.dmp	family_redline
behavioral2/memory/760-228-0x0000000000980000-0x0000000000B37000-memory.dmp	family_redline
behavioral2/memory/3180-227-0x00000000008E0000-0x00000000009D4000-memory.dmp	family_redline
behavioral2/memory/4540-247-0x0000000000BD0000-0x0000000000D63000-memory.dmp	family_redline
behavioral2/memory/4540-248-0x0000000000BD2000-0x0000000000C07000-memory.dmp	family_redline
behavioral2/memory/4540-258-0x0000000000BD2000-0x0000000000C07000-memory.dmp	family_redline
behavioral2/memory/2212-267-0x0000000000C52000-0x0000000000C88000-memory.dmp	family_redline
behavioral2/memory/760-275-0x0000000000982000-0x00000000009B7000-memory.dmp	family_redline
behavioral2/memory/3180-272-0x00000000008E2000-0x0000000000915000-memory.dmp	family_redline
behavioral2/memory/1936-280-0x00000000001D0000-0x0000000000392000-memory.dmp	family_redline
behavioral2/memory/1936-281-0x00000000001D2000-0x0000000000207000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2264 created 1540	2264	WerFault.exe	rundll32.exe
PID 2008 created 2400	2008	WerFault.exe	lkfnWLCqL4ZUGsjdaeF4rorE.exe
PID 4832 created 1244	4832	WerFault.exe	aJdKnzScVDAxGyjD3LZQHLcJ.exe
PID 5048 created 3324	5048	WerFault.exe	GUmg4Qa4m1mIsXVgQHVxEcuJ.exe
PID 1816 created 4852	1816	WerFault.exe	7_SDYekGsHoS8d1c7vPR5Bmm.exe
PID 2816 created 2152	2816	WerFault.exe	npdc5s5oPJorTBfKBBCgMyzp.exe
PID 1624 created 4852	1624	WerFault.exe	7_SDYekGsHoS8d1c7vPR5Bmm.exe
PID 4508 created 4852	4508	WerFault.exe	7_SDYekGsHoS8d1c7vPR5Bmm.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 4712 created 4332 4712 svchost.exe Graphics.exe
PID 4712 created 3032 4712 svchost.exe csrss.exe
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

description	pid	process	target process
PID 4712 created 4332	4712	svchost.exe	Graphics.exe
PID 4712 created 3032	4712	svchost.exe	csrss.exe

Executes dropped EXE 40 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exeFolder.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeKRJJGGZUDBIGnUiuMhFVCYhb.exeinjector.exe7_SDYekGsHoS8d1c7vPR5Bmm.exelkfnWLCqL4ZUGsjdaeF4rorE.exeC7UZW7dKXM1y8UR34SCgRcqo.exeNUwzeMQMokiSYVn30rwebVX9.exeVH59X1iYz5T2RQBDDWqoBZq8.exeDcygT3Ys1XLInSQIvTG_Ey6r.exesW6yBfbMVK33sD3kzI4xIvrl.exePt5JF01qRQN1iLv88FJVnzdK.exe03FkcmZZIUb_ezYCj2Qnl5il.exee00iiKWflGUeFoFf7rp6cV2_.exepRmH8et_SYzCYFyFeXuTEzdT.exegp2fgAa9GZbkz7UEyQVAFgwQ.exe_w2mF1YHUi2pPiO04GKPZfQp.exeaJdKnzScVDAxGyjD3LZQHLcJ.exenbmdzEHGf_l1ZAQ4nMMmglHF.exe1z6_khELf8T9X1MoDokR7uNw.exeGUmg4Qa4m1mIsXVgQHVxEcuJ.exemRv2cz2G0lSBxFNl9cubTIYk.exeNSE9Ld6kxxyuP8DqLvBpj6PI.exenpdc5s5oPJorTBfKBBCgMyzp.exepRmH8et_SYzCYFyFeXuTEzdT.exetGSr8Ot94Hwai4UWR8xhAPJ2.exeoG1dHne1fWPF3Po8OykVbTuX.exenbmdzEHGf_l1ZAQ4nMMmglHF.exe

pid	process
1288	SoCleanInst.exe
2656	md9_1sjm.exe
1500	Folder.exe
4332	Graphics.exe
360	Updbdate.exe
3012	Install.exe
3436	Files.exe
4784	Folder.exe
2424	pub2.exe
424	File.exe
4088	jfiag3g_gg.exe
4328	jfiag3g_gg.exe
2536	Graphics.exe
3032	csrss.exe
4292	KRJJGGZUDBIGnUiuMhFVCYhb.exe
1960	injector.exe
4852	7_SDYekGsHoS8d1c7vPR5Bmm.exe
2400	lkfnWLCqL4ZUGsjdaeF4rorE.exe
1316	C7UZW7dKXM1y8UR34SCgRcqo.exe
428	NUwzeMQMokiSYVn30rwebVX9.exe
4912	VH59X1iYz5T2RQBDDWqoBZq8.exe
4080	DcygT3Ys1XLInSQIvTG_Ey6r.exe
4028	sW6yBfbMVK33sD3kzI4xIvrl.exe
3460	Pt5JF01qRQN1iLv88FJVnzdK.exe
2212	03FkcmZZIUb_ezYCj2Qnl5il.exe
4324	e00iiKWflGUeFoFf7rp6cV2_.exe
3568	pRmH8et_SYzCYFyFeXuTEzdT.exe
3980	gp2fgAa9GZbkz7UEyQVAFgwQ.exe
1588	_w2mF1YHUi2pPiO04GKPZfQp.exe
1244	aJdKnzScVDAxGyjD3LZQHLcJ.exe
2264	nbmdzEHGf_l1ZAQ4nMMmglHF.exe
3180	1z6_khELf8T9X1MoDokR7uNw.exe
3324	GUmg4Qa4m1mIsXVgQHVxEcuJ.exe
3564	mRv2cz2G0lSBxFNl9cubTIYk.exe
760	NSE9Ld6kxxyuP8DqLvBpj6PI.exe
2152	npdc5s5oPJorTBfKBBCgMyzp.exe
3008	pRmH8et_SYzCYFyFeXuTEzdT.exe
204	tGSr8Ot94Hwai4UWR8xhAPJ2.exe
2564	oG1dHne1fWPF3Po8OykVbTuX.exe
4484	nbmdzEHGf_l1ZAQ4nMMmglHF.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\gp2fgAa9GZbkz7UEyQVAFgwQ.exe	upx
C:\Users\Admin\Pictures\Adobe Films\gp2fgAa9GZbkz7UEyQVAFgwQ.exe	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oG1dHne1fWPF3Po8OykVbTuX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oG1dHne1fWPF3Po8OykVbTuX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oG1dHne1fWPF3Po8OykVbTuX.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exeFolder.exeFile.exeC7UZW7dKXM1y8UR34SCgRcqo.exemRv2cz2G0lSBxFNl9cubTIYk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	C7UZW7dKXM1y8UR34SCgRcqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mRv2cz2G0lSBxFNl9cubTIYk.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exePt5JF01qRQN1iLv88FJVnzdK.exe

pid process

1540 rundll32.exe
3460 Pt5JF01qRQN1iLv88FJVnzdK.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1540	rundll32.exe
3460	Pt5JF01qRQN1iLv88FJVnzdK.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2564-237-0x00000000004F0000-0x00000000008B3000-memory.dmp	themida
behavioral2/memory/2564-239-0x00000000004F0000-0x00000000008B3000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkFeather = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

md9_1sjm.exeoG1dHne1fWPF3Po8OykVbTuX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oG1dHne1fWPF3Po8OykVbTuX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ip-api.com
118 ipinfo.io
119 ipinfo.io
239 ipinfo.io
241 ipinfo.io
263 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

03FkcmZZIUb_ezYCj2Qnl5il.exe1z6_khELf8T9X1MoDokR7uNw.exeNSE9Ld6kxxyuP8DqLvBpj6PI.exeoG1dHne1fWPF3Po8OykVbTuX.exe

pid process

2212 03FkcmZZIUb_ezYCj2Qnl5il.exe
3180 1z6_khELf8T9X1MoDokR7uNw.exe
760 NSE9Ld6kxxyuP8DqLvBpj6PI.exe
2564 oG1dHne1fWPF3Po8OykVbTuX.exe

flow	ioc
26	ip-api.com
118	ipinfo.io
119	ipinfo.io
239	ipinfo.io
241	ipinfo.io
263	ipinfo.io

pid	process
2212	03FkcmZZIUb_ezYCj2Qnl5il.exe
3180	1z6_khELf8T9X1MoDokR7uNw.exe
760	NSE9Ld6kxxyuP8DqLvBpj6PI.exe
2564	oG1dHne1fWPF3Po8OykVbTuX.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

pRmH8et_SYzCYFyFeXuTEzdT.exenbmdzEHGf_l1ZAQ4nMMmglHF.exe

description	pid	process	target process
PID 3568 set thread context of 3008	3568	pRmH8et_SYzCYFyFeXuTEzdT.exe	pRmH8et_SYzCYFyFeXuTEzdT.exe
PID 2264 set thread context of 4484	2264	nbmdzEHGf_l1ZAQ4nMMmglHF.exe	nbmdzEHGf_l1ZAQ4nMMmglHF.exe

Drops file in Program Files directory 2 IoCs

Processes:

C7UZW7dKXM1y8UR34SCgRcqo.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	C7UZW7dKXM1y8UR34SCgRcqo.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	C7UZW7dKXM1y8UR34SCgRcqo.exe

Drops file in Windows directory 3 IoCs

Processes:

WerFault.exeGraphics.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3916	4332	WerFault.exe	Graphics.exe
1604	4332	WerFault.exe	Graphics.exe
4424	1540	WerFault.exe	rundll32.exe
1884	4332	WerFault.exe	Graphics.exe
1532	4332	WerFault.exe	Graphics.exe
4260	4332	WerFault.exe	Graphics.exe
2052	4332	WerFault.exe	Graphics.exe
1528	4332	WerFault.exe	Graphics.exe
752	4332	WerFault.exe	Graphics.exe
2312	4332	WerFault.exe	Graphics.exe
2008	4332	WerFault.exe	Graphics.exe
3324	4332	WerFault.exe	Graphics.exe
1084	4332	WerFault.exe	Graphics.exe
2216	4332	WerFault.exe	Graphics.exe
2160	4332	WerFault.exe	Graphics.exe
4440	4332	WerFault.exe	Graphics.exe
3200	4332	WerFault.exe	Graphics.exe
3712	4332	WerFault.exe	Graphics.exe
1736	4332	WerFault.exe	Graphics.exe
1204	4332	WerFault.exe	Graphics.exe
2004	4332	WerFault.exe	Graphics.exe
2232	4332	WerFault.exe	Graphics.exe
1488	2536	WerFault.exe	Graphics.exe
1608	2536	WerFault.exe	Graphics.exe
4784	2536	WerFault.exe	Graphics.exe
4852	2536	WerFault.exe	Graphics.exe
4372	2536	WerFault.exe	Graphics.exe
2788	2536	WerFault.exe	Graphics.exe
2908	2536	WerFault.exe	Graphics.exe
2784	2536	WerFault.exe	Graphics.exe
3596	2536	WerFault.exe	Graphics.exe
768	2536	WerFault.exe	Graphics.exe
1584	2536	WerFault.exe	Graphics.exe
1484	2536	WerFault.exe	Graphics.exe
2384	2536	WerFault.exe	Graphics.exe
556	2536	WerFault.exe	Graphics.exe
4792	2536	WerFault.exe	Graphics.exe
5080	2536	WerFault.exe	Graphics.exe
3704	3032	WerFault.exe	csrss.exe
1320	3032	WerFault.exe	csrss.exe
3388	3032	WerFault.exe	csrss.exe
4604	3032	WerFault.exe	csrss.exe
1284	3032	WerFault.exe	csrss.exe
3020	3032	WerFault.exe	csrss.exe
2008	3032	WerFault.exe	csrss.exe
4612	3032	WerFault.exe	csrss.exe
2988	3032	WerFault.exe	csrss.exe
2384	3032	WerFault.exe	csrss.exe
1372	3032	WerFault.exe	csrss.exe
3180	3032	WerFault.exe	csrss.exe
3808	3032	WerFault.exe	csrss.exe
492	3032	WerFault.exe	csrss.exe
2876	3032	WerFault.exe	csrss.exe
4008	3032	WerFault.exe	csrss.exe
4396	3032	WerFault.exe	csrss.exe
3684	3032	WerFault.exe	csrss.exe
4984	3032	WerFault.exe	csrss.exe
4104	3032	WerFault.exe	csrss.exe
4820	3032	WerFault.exe	csrss.exe
1252	3032	WerFault.exe	csrss.exe
480	3032	WerFault.exe	csrss.exe
4600	3032	WerFault.exe	csrss.exe
4076	3032	WerFault.exe	csrss.exe
2292	2400	WerFault.exe	lkfnWLCqL4ZUGsjdaeF4rorE.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exepRmH8et_SYzCYFyFeXuTEzdT.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pRmH8et_SYzCYFyFeXuTEzdT.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pRmH8et_SYzCYFyFeXuTEzdT.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pRmH8et_SYzCYFyFeXuTEzdT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4900 schtasks.exe
5040 schtasks.exe
1980 schtasks.exe

pid	process
4900	schtasks.exe
5040	schtasks.exe
1980	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

760 taskkill.exe

pid	process
760	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

File.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	File.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	File.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exeWerFault.exe

pid	process
2424	pub2.exe
2424	pub2.exe
4328	jfiag3g_gg.exe
4328	jfiag3g_gg.exe
4424	WerFault.exe
4424	WerFault.exe
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164
1164

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1164
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exepRmH8et_SYzCYFyFeXuTEzdT.exe

pid process

2424 pub2.exe
3008 pRmH8et_SYzCYFyFeXuTEzdT.exe

pid	process
1164

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exeWerFault.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	1288	SoCleanInst.exe
Token: SeCreateTokenPrivilege	3012	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3012	Install.exe
Token: SeLockMemoryPrivilege	3012	Install.exe
Token: SeIncreaseQuotaPrivilege	3012	Install.exe
Token: SeMachineAccountPrivilege	3012	Install.exe
Token: SeTcbPrivilege	3012	Install.exe
Token: SeSecurityPrivilege	3012	Install.exe
Token: SeTakeOwnershipPrivilege	3012	Install.exe
Token: SeLoadDriverPrivilege	3012	Install.exe
Token: SeSystemProfilePrivilege	3012	Install.exe
Token: SeSystemtimePrivilege	3012	Install.exe
Token: SeProfSingleProcessPrivilege	3012	Install.exe
Token: SeIncBasePriorityPrivilege	3012	Install.exe
Token: SeCreatePagefilePrivilege	3012	Install.exe
Token: SeCreatePermanentPrivilege	3012	Install.exe
Token: SeBackupPrivilege	3012	Install.exe
Token: SeRestorePrivilege	3012	Install.exe
Token: SeShutdownPrivilege	3012	Install.exe
Token: SeDebugPrivilege	3012	Install.exe
Token: SeAuditPrivilege	3012	Install.exe
Token: SeSystemEnvironmentPrivilege	3012	Install.exe
Token: SeChangeNotifyPrivilege	3012	Install.exe
Token: SeRemoteShutdownPrivilege	3012	Install.exe
Token: SeUndockPrivilege	3012	Install.exe
Token: SeSyncAgentPrivilege	3012	Install.exe
Token: SeEnableDelegationPrivilege	3012	Install.exe
Token: SeManageVolumePrivilege	3012	Install.exe
Token: SeImpersonatePrivilege	3012	Install.exe
Token: SeCreateGlobalPrivilege	3012	Install.exe
Token: 31	3012	Install.exe
Token: 32	3012	Install.exe
Token: 33	3012	Install.exe
Token: 34	3012	Install.exe
Token: 35	3012	Install.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeRestorePrivilege	4424	WerFault.exe
Token: SeBackupPrivilege	4424	WerFault.exe
Token: SeBackupPrivilege	4424	WerFault.exe
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeManageVolumePrivilege	2656	md9_1sjm.exe
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164
Token: SeShutdownPrivilege	1164
Token: SeCreatePagefilePrivilege	1164

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

7_SDYekGsHoS8d1c7vPR5Bmm.exeC7UZW7dKXM1y8UR34SCgRcqo.exeNUwzeMQMokiSYVn30rwebVX9.exeVH59X1iYz5T2RQBDDWqoBZq8.exeDcygT3Ys1XLInSQIvTG_Ey6r.exePt5JF01qRQN1iLv88FJVnzdK.exe03FkcmZZIUb_ezYCj2Qnl5il.exepRmH8et_SYzCYFyFeXuTEzdT.exenbmdzEHGf_l1ZAQ4nMMmglHF.exe_w2mF1YHUi2pPiO04GKPZfQp.exe1z6_khELf8T9X1MoDokR7uNw.exemRv2cz2G0lSBxFNl9cubTIYk.exeNSE9Ld6kxxyuP8DqLvBpj6PI.exenpdc5s5oPJorTBfKBBCgMyzp.exeGUmg4Qa4m1mIsXVgQHVxEcuJ.exeaJdKnzScVDAxGyjD3LZQHLcJ.exetGSr8Ot94Hwai4UWR8xhAPJ2.exeoG1dHne1fWPF3Po8OykVbTuX.exenbmdzEHGf_l1ZAQ4nMMmglHF.exe

pid	process
4852	7_SDYekGsHoS8d1c7vPR5Bmm.exe
1316	C7UZW7dKXM1y8UR34SCgRcqo.exe
428	NUwzeMQMokiSYVn30rwebVX9.exe
4912	VH59X1iYz5T2RQBDDWqoBZq8.exe
4080	DcygT3Ys1XLInSQIvTG_Ey6r.exe
3460	Pt5JF01qRQN1iLv88FJVnzdK.exe
2212	03FkcmZZIUb_ezYCj2Qnl5il.exe
3568	pRmH8et_SYzCYFyFeXuTEzdT.exe
2264	nbmdzEHGf_l1ZAQ4nMMmglHF.exe
1588	_w2mF1YHUi2pPiO04GKPZfQp.exe
3180	1z6_khELf8T9X1MoDokR7uNw.exe
3564	mRv2cz2G0lSBxFNl9cubTIYk.exe
760	NSE9Ld6kxxyuP8DqLvBpj6PI.exe
2152	npdc5s5oPJorTBfKBBCgMyzp.exe
3324	GUmg4Qa4m1mIsXVgQHVxEcuJ.exe
1244	aJdKnzScVDAxGyjD3LZQHLcJ.exe
204	tGSr8Ot94Hwai4UWR8xhAPJ2.exe
2564	oG1dHne1fWPF3Po8OykVbTuX.exe
4484	nbmdzEHGf_l1ZAQ4nMMmglHF.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exeFolder.exeFiles.exeInstall.exerUNdlL32.eXecmd.exeWerFault.exesvchost.exeGraphics.execmd.exeFile.execsrss.exe

description	pid	process	target process
PID 4900 wrote to memory of 1288	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	SoCleanInst.exe
PID 4900 wrote to memory of 1288	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	SoCleanInst.exe
PID 4900 wrote to memory of 2656	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	md9_1sjm.exe
PID 4900 wrote to memory of 2656	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	md9_1sjm.exe
PID 4900 wrote to memory of 2656	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	md9_1sjm.exe
PID 4900 wrote to memory of 1500	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Folder.exe
PID 4900 wrote to memory of 1500	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Folder.exe
PID 4900 wrote to memory of 1500	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Folder.exe
PID 4900 wrote to memory of 4332	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Graphics.exe
PID 4900 wrote to memory of 4332	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Graphics.exe
PID 4900 wrote to memory of 4332	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Graphics.exe
PID 4900 wrote to memory of 360	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Updbdate.exe
PID 4900 wrote to memory of 360	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Updbdate.exe
PID 4900 wrote to memory of 360	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Updbdate.exe
PID 4900 wrote to memory of 3012	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Install.exe
PID 4900 wrote to memory of 3012	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Install.exe
PID 4900 wrote to memory of 3012	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Install.exe
PID 4900 wrote to memory of 3436	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Files.exe
PID 4900 wrote to memory of 3436	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Files.exe
PID 4900 wrote to memory of 3436	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	Files.exe
PID 1500 wrote to memory of 4784	1500	Folder.exe	Folder.exe
PID 1500 wrote to memory of 4784	1500	Folder.exe	Folder.exe
PID 1500 wrote to memory of 4784	1500	Folder.exe	Folder.exe
PID 4900 wrote to memory of 2424	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	pub2.exe
PID 4900 wrote to memory of 2424	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	pub2.exe
PID 4900 wrote to memory of 2424	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	pub2.exe
PID 4900 wrote to memory of 424	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	File.exe
PID 4900 wrote to memory of 424	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	File.exe
PID 4900 wrote to memory of 424	4900	15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe	File.exe
PID 3436 wrote to memory of 4088	3436	Files.exe	jfiag3g_gg.exe
PID 3436 wrote to memory of 4088	3436	Files.exe	jfiag3g_gg.exe
PID 3436 wrote to memory of 4088	3436	Files.exe	jfiag3g_gg.exe
PID 3012 wrote to memory of 4180	3012	Install.exe	cmd.exe
PID 3012 wrote to memory of 4180	3012	Install.exe	cmd.exe
PID 3012 wrote to memory of 4180	3012	Install.exe	cmd.exe
PID 4844 wrote to memory of 1540	4844	rUNdlL32.eXe	rundll32.exe
PID 4844 wrote to memory of 1540	4844	rUNdlL32.eXe	rundll32.exe
PID 4844 wrote to memory of 1540	4844	rUNdlL32.eXe	rundll32.exe
PID 4180 wrote to memory of 760	4180	cmd.exe	taskkill.exe
PID 4180 wrote to memory of 760	4180	cmd.exe	taskkill.exe
PID 4180 wrote to memory of 760	4180	cmd.exe	taskkill.exe
PID 2264 wrote to memory of 1540	2264	WerFault.exe	rundll32.exe
PID 2264 wrote to memory of 1540	2264	WerFault.exe	rundll32.exe
PID 3436 wrote to memory of 4328	3436	Files.exe	jfiag3g_gg.exe
PID 3436 wrote to memory of 4328	3436	Files.exe	jfiag3g_gg.exe
PID 3436 wrote to memory of 4328	3436	Files.exe	jfiag3g_gg.exe
PID 4712 wrote to memory of 2536	4712	svchost.exe	Graphics.exe
PID 4712 wrote to memory of 2536	4712	svchost.exe	Graphics.exe
PID 4712 wrote to memory of 2536	4712	svchost.exe	Graphics.exe
PID 2536 wrote to memory of 5060	2536	Graphics.exe	cmd.exe
PID 2536 wrote to memory of 5060	2536	Graphics.exe	cmd.exe
PID 5060 wrote to memory of 444	5060	cmd.exe	netsh.exe
PID 5060 wrote to memory of 444	5060	cmd.exe	netsh.exe
PID 2536 wrote to memory of 3032	2536	Graphics.exe	csrss.exe
PID 2536 wrote to memory of 3032	2536	Graphics.exe	csrss.exe
PID 2536 wrote to memory of 3032	2536	Graphics.exe	csrss.exe
PID 4712 wrote to memory of 4900	4712	svchost.exe	schtasks.exe
PID 4712 wrote to memory of 4900	4712	svchost.exe	schtasks.exe
PID 424 wrote to memory of 4292	424	File.exe	KRJJGGZUDBIGnUiuMhFVCYhb.exe
PID 424 wrote to memory of 4292	424	File.exe	KRJJGGZUDBIGnUiuMhFVCYhb.exe
PID 3032 wrote to memory of 1960	3032	csrss.exe	injector.exe
PID 3032 wrote to memory of 1960	3032	csrss.exe	injector.exe
PID 424 wrote to memory of 4852	424	File.exe	7_SDYekGsHoS8d1c7vPR5Bmm.exe
PID 424 wrote to memory of 4852	424	File.exe	7_SDYekGsHoS8d1c7vPR5Bmm.exe

C:\Users\Admin\AppData\Local\Temp\15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe
"C:\Users\Admin\AppData\Local\Temp\15927cd90056342bc7e695c22dbd72a61596f26deb93b1db9c4c9812a08d0daf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:4784

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 328
3⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 336
3⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 348
3⤵
- Program crash
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 656
3⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 656
3⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 656
3⤵
- Program crash
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 728
3⤵
- Program crash
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 736
3⤵
- Program crash
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 752
3⤵
- Program crash
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 808
3⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 616
3⤵
- Program crash
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 608
3⤵
- Program crash
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 888
3⤵
- Program crash
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 900
3⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 860
3⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 924
3⤵
- Program crash
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 944
3⤵
- Program crash
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 788
3⤵
- Program crash
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 952
3⤵
- Program crash
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 940
3⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 824
3⤵
- Program crash
PID:2232

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 292
4⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 296
4⤵
- Program crash
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 296
4⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 428
4⤵
- Program crash
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 668
4⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 668
4⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 700
4⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 708
4⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 724
4⤵
- Program crash
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 848
4⤵
- Program crash
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 860
4⤵
- Program crash
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 896
4⤵
- Program crash
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 724
4⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 864
4⤵
- Program crash
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 900
4⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 884
4⤵
- Program crash
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:444

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 328
5⤵
- Program crash
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 332
5⤵
- Program crash
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 328
5⤵
- Program crash
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 664
5⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 664
5⤵
- Program crash
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 664
5⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 664
5⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 752
5⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 748
5⤵
- Program crash
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 620
5⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 680
5⤵
- Program crash
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 780
5⤵
- Program crash
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 780
5⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 780
5⤵
- Program crash
PID:492

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 780
5⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 984
5⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 996
5⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 956
5⤵
- Program crash
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1004
5⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1060
5⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1036
5⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1096
5⤵
- Program crash
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 964
5⤵
- Program crash
PID:480

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 948
5⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 964
5⤵
- Program crash
PID:4076

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:360

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2424

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:424

C:\Users\Admin\Pictures\Adobe Films\KRJJGGZUDBIGnUiuMhFVCYhb.exe
"C:\Users\Admin\Pictures\Adobe Films\KRJJGGZUDBIGnUiuMhFVCYhb.exe"
3⤵
- Executes dropped EXE
PID:4292

C:\Users\Admin\Pictures\Adobe Films\7_SDYekGsHoS8d1c7vPR5Bmm.exe
"C:\Users\Admin\Pictures\Adobe Films\7_SDYekGsHoS8d1c7vPR5Bmm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Users\Admin\Pictures\Adobe Films\lkfnWLCqL4ZUGsjdaeF4rorE.exe
"C:\Users\Admin\Pictures\Adobe Films\lkfnWLCqL4ZUGsjdaeF4rorE.exe"
3⤵
- Executes dropped EXE
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 424
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2292

C:\Users\Admin\Pictures\Adobe Films\VH59X1iYz5T2RQBDDWqoBZq8.exe
"C:\Users\Admin\Pictures\Adobe Films\VH59X1iYz5T2RQBDDWqoBZq8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bsbkrdsu\
4⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pcuqcvy.exe" C:\Windows\SysWOW64\bsbkrdsu\
4⤵
PID:5124

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create bsbkrdsu binPath= "C:\Windows\SysWOW64\bsbkrdsu\pcuqcvy.exe /d\"C:\Users\Admin\Pictures\Adobe Films\VH59X1iYz5T2RQBDDWqoBZq8.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5456

C:\Users\Admin\Pictures\Adobe Films\DcygT3Ys1XLInSQIvTG_Ey6r.exe
"C:\Users\Admin\Pictures\Adobe Films\DcygT3Ys1XLInSQIvTG_Ey6r.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Users\Admin\AppData\Local\Temp\7zS75F4.tmp\Install.exe
.\Install.exe
4⤵
PID:3280

C:\Users\Admin\Pictures\Adobe Films\NUwzeMQMokiSYVn30rwebVX9.exe
"C:\Users\Admin\Pictures\Adobe Films\NUwzeMQMokiSYVn30rwebVX9.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:428

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
4⤵
PID:5312

C:\Users\Admin\Pictures\Adobe Films\C7UZW7dKXM1y8UR34SCgRcqo.exe
"C:\Users\Admin\Pictures\Adobe Films\C7UZW7dKXM1y8UR34SCgRcqo.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Users\Admin\Documents\tGSr8Ot94Hwai4UWR8xhAPJ2.exe
"C:\Users\Admin\Documents\tGSr8Ot94Hwai4UWR8xhAPJ2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:204

C:\Users\Admin\Pictures\Adobe Films\CssUvbj98unQXFuyFr8speZw.exe
"C:\Users\Admin\Pictures\Adobe Films\CssUvbj98unQXFuyFr8speZw.exe"
5⤵
PID:5572

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:1980

C:\Users\Admin\Pictures\Adobe Films\sW6yBfbMVK33sD3kzI4xIvrl.exe
"C:\Users\Admin\Pictures\Adobe Films\sW6yBfbMVK33sD3kzI4xIvrl.exe"
3⤵
- Executes dropped EXE
PID:4028

C:\Users\Admin\Pictures\Adobe Films\e00iiKWflGUeFoFf7rp6cV2_.exe
"C:\Users\Admin\Pictures\Adobe Films\e00iiKWflGUeFoFf7rp6cV2_.exe"
3⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\Pictures\Adobe Films\gp2fgAa9GZbkz7UEyQVAFgwQ.exe
"C:\Users\Admin\Pictures\Adobe Films\gp2fgAa9GZbkz7UEyQVAFgwQ.exe"
3⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\Pictures\Adobe Films\pRmH8et_SYzCYFyFeXuTEzdT.exe
"C:\Users\Admin\Pictures\Adobe Films\pRmH8et_SYzCYFyFeXuTEzdT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Users\Admin\Pictures\Adobe Films\pRmH8et_SYzCYFyFeXuTEzdT.exe
"C:\Users\Admin\Pictures\Adobe Films\pRmH8et_SYzCYFyFeXuTEzdT.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3008

C:\Users\Admin\Pictures\Adobe Films\03FkcmZZIUb_ezYCj2Qnl5il.exe
"C:\Users\Admin\Pictures\Adobe Films\03FkcmZZIUb_ezYCj2Qnl5il.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Users\Admin\Pictures\Adobe Films\Pt5JF01qRQN1iLv88FJVnzdK.exe
"C:\Users\Admin\Pictures\Adobe Films\Pt5JF01qRQN1iLv88FJVnzdK.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Users\Admin\Pictures\Adobe Films\_w2mF1YHUi2pPiO04GKPZfQp.exe
"C:\Users\Admin\Pictures\Adobe Films\_w2mF1YHUi2pPiO04GKPZfQp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Users\Admin\Pictures\Adobe Films\nbmdzEHGf_l1ZAQ4nMMmglHF.exe
"C:\Users\Admin\Pictures\Adobe Films\nbmdzEHGf_l1ZAQ4nMMmglHF.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Users\Admin\Pictures\Adobe Films\nbmdzEHGf_l1ZAQ4nMMmglHF.exe
"C:\Users\Admin\Pictures\Adobe Films\nbmdzEHGf_l1ZAQ4nMMmglHF.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Users\Admin\Pictures\Adobe Films\NSE9Ld6kxxyuP8DqLvBpj6PI.exe
"C:\Users\Admin\Pictures\Adobe Films\NSE9Ld6kxxyuP8DqLvBpj6PI.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:760

C:\Users\Admin\Pictures\Adobe Films\npdc5s5oPJorTBfKBBCgMyzp.exe
"C:\Users\Admin\Pictures\Adobe Films\npdc5s5oPJorTBfKBBCgMyzp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 464
4⤵
PID:2484

C:\Users\Admin\Pictures\Adobe Films\mRv2cz2G0lSBxFNl9cubTIYk.exe
"C:\Users\Admin\Pictures\Adobe Films\mRv2cz2G0lSBxFNl9cubTIYk.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
4⤵
PID:444

C:\Users\Admin\Pictures\Adobe Films\GUmg4Qa4m1mIsXVgQHVxEcuJ.exe
"C:\Users\Admin\Pictures\Adobe Films\GUmg4Qa4m1mIsXVgQHVxEcuJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 464
4⤵
PID:2624

C:\Users\Admin\Pictures\Adobe Films\1z6_khELf8T9X1MoDokR7uNw.exe
"C:\Users\Admin\Pictures\Adobe Films\1z6_khELf8T9X1MoDokR7uNw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Users\Admin\Pictures\Adobe Films\aJdKnzScVDAxGyjD3LZQHLcJ.exe
"C:\Users\Admin\Pictures\Adobe Films\aJdKnzScVDAxGyjD3LZQHLcJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 472
4⤵
PID:3992

C:\Users\Admin\Pictures\Adobe Films\oG1dHne1fWPF3Po8OykVbTuX.exe
"C:\Users\Admin\Pictures\Adobe Films\oG1dHne1fWPF3Po8OykVbTuX.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Users\Admin\AppData\Local\Temp\ABD9J.exe
"C:\Users\Admin\AppData\Local\Temp\ABD9J.exe"
4⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\LLCLJ.exe
"C:\Users\Admin\AppData\Local\Temp\LLCLJ.exe"
4⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\50932.exe
"C:\Users\Admin\AppData\Local\Temp\50932.exe"
4⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\8JICG.exe
"C:\Users\Admin\AppData\Local\Temp\8JICG.exe"
4⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4332 -ip 4332
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4332 -ip 4332
1⤵
PID:1928

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 600
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1540 -ip 1540
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4332 -ip 4332
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4332 -ip 4332
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4332 -ip 4332
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4332 -ip 4332
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4332 -ip 4332
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4332 -ip 4332
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4332 -ip 4332
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4332 -ip 4332
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4332 -ip 4332
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4332 -ip 4332
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4332 -ip 4332
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4332 -ip 4332
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4332 -ip 4332
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4332 -ip 4332
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4332 -ip 4332
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4332 -ip 4332
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4332 -ip 4332
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4332 -ip 4332
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4332 -ip 4332
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2536 -ip 2536
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2536 -ip 2536
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2536 -ip 2536
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2536 -ip 2536
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2536 -ip 2536
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2536 -ip 2536
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2536 -ip 2536
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2536 -ip 2536
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2536 -ip 2536
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2536 -ip 2536
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2536 -ip 2536
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2536 -ip 2536
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2536 -ip 2536
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2536 -ip 2536
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2536 -ip 2536
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2536 -ip 2536
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3032 -ip 3032
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3032 -ip 3032
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3032 -ip 3032
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3032 -ip 3032
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3032 -ip 3032
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3032 -ip 3032
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3032 -ip 3032
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3032 -ip 3032
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3032 -ip 3032
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3032 -ip 3032
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3032 -ip 3032
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3032 -ip 3032
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3032 -ip 3032
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3032 -ip 3032
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3032 -ip 3032
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3032 -ip 3032
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3032 -ip 3032
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3032 -ip 3032
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3032 -ip 3032
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3032 -ip 3032
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3032 -ip 3032
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3032 -ip 3032
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3032 -ip 3032
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3032 -ip 3032
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3032 -ip 3032
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2400 -ip 2400
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1244 -ip 1244
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3324 -ip 3324
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2152 -ip 2152
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4852 -ip 4852
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4852 -ip 4852
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4852 -ip 4852
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4852 -ip 4852
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2264 -ip 2264
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
f8f1ccfd1f5ab074cc2d646fd6e3ab8d

SHA1
c4d0de340689af5b2f449301034aac7079d8d0b4

SHA256
4845fab514f78529ec4d35e0e5716a6e180b4594519003cf8ae669d1534a1db6

SHA512
0f09aabc5d333a09bd6b90ebe667f06f4c72e115f66c73bf06865db93ed7f07ccb5627b10e27ee68b8f0b1222ad7bcaa119625bcb31426113386947d58c0cf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
921b10ea055eb9c80737b07142de6d2e

SHA1
6c2134159e68c8219a51a5b4dab4da33f2e0bad1

SHA256
f9f6ec4585db7b9e410b685e38f54db289671955dc39ab14a904745418a21350

SHA512
80ae017b10e0ae9190b409efb667891f8c747ec34b236b5fd34e2f8c144da439f237480acc9b44673a82ea8c9ae7c3e3f18bdafc879b6753566ec0615f310130

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
921b10ea055eb9c80737b07142de6d2e

SHA1
6c2134159e68c8219a51a5b4dab4da33f2e0bad1

SHA256
f9f6ec4585db7b9e410b685e38f54db289671955dc39ab14a904745418a21350

SHA512
80ae017b10e0ae9190b409efb667891f8c747ec34b236b5fd34e2f8c144da439f237480acc9b44673a82ea8c9ae7c3e3f18bdafc879b6753566ec0615f310130

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
8d3cfb11fd739e8129dd2aa9ce026945

SHA1
d39e2cf1b55fcee6cfd65ccc084d2aa92e603f40

SHA256
ed0c0bb267a6b40646eb5383155314326c99bfe1dccda529b12db14c37c57616

SHA512
ea80e3fa4bc6b232d025b03c29758ea17641df0f16939c839f5d024a23f69b0453c49a72d8eda3571999f970e7f074f1c7b96b50478bd0b7c3c623886cc985ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
8d3cfb11fd739e8129dd2aa9ce026945

SHA1
d39e2cf1b55fcee6cfd65ccc084d2aa92e603f40

SHA256
ed0c0bb267a6b40646eb5383155314326c99bfe1dccda529b12db14c37c57616

SHA512
ea80e3fa4bc6b232d025b03c29758ea17641df0f16939c839f5d024a23f69b0453c49a72d8eda3571999f970e7f074f1c7b96b50478bd0b7c3c623886cc985ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
f9cf52d7407aa11cd18af2d511d8d25c

SHA1
e0cbe234314c53d439fc3b3be68fd7b4956cb09a

SHA256
cd1bf677d6b0c6be3038e58ec2d9a26cce637b8804e49d0302878be47a24bb04

SHA512
1d7ff1933f1d536358245b083d592552624515962dc9d819baa83f1b5254655f62f1247553d603b4f6b10f8085179ee698c58aa6fc3f396ed498e75991bee965

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
f9cf52d7407aa11cd18af2d511d8d25c

SHA1
e0cbe234314c53d439fc3b3be68fd7b4956cb09a

SHA256
cd1bf677d6b0c6be3038e58ec2d9a26cce637b8804e49d0302878be47a24bb04

SHA512
1d7ff1933f1d536358245b083d592552624515962dc9d819baa83f1b5254655f62f1247553d603b4f6b10f8085179ee698c58aa6fc3f396ed498e75991bee965

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
4f4f6906ab07d2bf48efdcf836f95f4f

SHA1
eaf6b1ace4c40a154149f207cdda87fa9cf07fb2

SHA256
58f657ef4204d80a59e576d169d7fe2ea06d4c37fe20fee5470b329a1a72ad02

SHA512
d8ede0b77f6b5b801aa137a55c94b5648f9c8b7f80b0e516433226786c3b15d6f750ada597d22591ebf50fb3fc2e75ab17df0693975f0edcd69a1d74f75d6fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
f250a9c692088cce4253332a205b1649

SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20

SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
f250a9c692088cce4253332a205b1649

SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20

SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
a101a68eb9b038c745b9110ea35e4357

SHA1
c2d6b37ef2b38de4e77932eb3df856b798c4573a

SHA256
0aaa53d370cb72e8f9b0936ba6cdd0028baf761878aac03fe11f186fb422b5c3

SHA512
2f46dbf2e3ef13d54327550fddbe139b3cf6b65653d429906b4627fea798e7750c0a02a539754befd05b201a07dc533868800362a80bfe68fa075e9fcafcbdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
a101a68eb9b038c745b9110ea35e4357

SHA1
c2d6b37ef2b38de4e77932eb3df856b798c4573a

SHA256
0aaa53d370cb72e8f9b0936ba6cdd0028baf761878aac03fe11f186fb422b5c3

SHA512
2f46dbf2e3ef13d54327550fddbe139b3cf6b65653d429906b4627fea798e7750c0a02a539754befd05b201a07dc533868800362a80bfe68fa075e9fcafcbdf6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\03FkcmZZIUb_ezYCj2Qnl5il.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\03FkcmZZIUb_ezYCj2Qnl5il.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7_SDYekGsHoS8d1c7vPR5Bmm.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7_SDYekGsHoS8d1c7vPR5Bmm.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\C7UZW7dKXM1y8UR34SCgRcqo.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\C7UZW7dKXM1y8UR34SCgRcqo.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DcygT3Ys1XLInSQIvTG_Ey6r.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DcygT3Ys1XLInSQIvTG_Ey6r.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KRJJGGZUDBIGnUiuMhFVCYhb.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KRJJGGZUDBIGnUiuMhFVCYhb.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NUwzeMQMokiSYVn30rwebVX9.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NUwzeMQMokiSYVn30rwebVX9.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Pt5JF01qRQN1iLv88FJVnzdK.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Pt5JF01qRQN1iLv88FJVnzdK.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VH59X1iYz5T2RQBDDWqoBZq8.exe
MD5
caf7eb755bd0348b0ca5a03fe50df495

SHA1
d4e6e8a7a2c9524a287339e445ebd7061a292b28

SHA256
0342010025423b0f608bd3466e05c1e7967a7357ee4847fab8b23d8e329a8abb

SHA512
1d722df99ca31d2ba491ee086b8cbfc966f005ee0c2dceb42978fc8fe7d5ab143993bd3840c9178fce82aae5164285d08d07a60fa4e277307c2729bf482e2e5b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VH59X1iYz5T2RQBDDWqoBZq8.exe
MD5
caf7eb755bd0348b0ca5a03fe50df495

SHA1
d4e6e8a7a2c9524a287339e445ebd7061a292b28

SHA256
0342010025423b0f608bd3466e05c1e7967a7357ee4847fab8b23d8e329a8abb

SHA512
1d722df99ca31d2ba491ee086b8cbfc966f005ee0c2dceb42978fc8fe7d5ab143993bd3840c9178fce82aae5164285d08d07a60fa4e277307c2729bf482e2e5b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_w2mF1YHUi2pPiO04GKPZfQp.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aJdKnzScVDAxGyjD3LZQHLcJ.exe
MD5
d0e66302d8fd5c0987670667702e844d

SHA1
e232dcbb280b2fcc09060d5f0c1c95d8751bd308

SHA256
3053835dc6474fabe8979800bd984c6f234b1e94571614f9475e2c7ee5e843f8

SHA512
9891b4a5378a4c7a501f4de3e84af7d46075ee21e2835a75691b9ab61350695fdd7c9a5317efb67e8c025b5f48bc6d02545f205f7ba32a46245969cafeb3fdab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\e00iiKWflGUeFoFf7rp6cV2_.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\e00iiKWflGUeFoFf7rp6cV2_.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gp2fgAa9GZbkz7UEyQVAFgwQ.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gp2fgAa9GZbkz7UEyQVAFgwQ.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lkfnWLCqL4ZUGsjdaeF4rorE.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lkfnWLCqL4ZUGsjdaeF4rorE.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\nbmdzEHGf_l1ZAQ4nMMmglHF.exe
MD5
4cb40a5915b998c9c70b71e6b54de912

SHA1
15bfedc171add539bcbb2ecf4a1fd9eef1fd97f9

SHA256
bcba37ea39dbe60b1dd38557aaccf5aca3d6e2d754fa6e6d81e07e18ff3d7e58

SHA512
945b1de67d1cc6adb9bbbf1b08d8163c1cbb19f6878242def90aa08354503d98c96e7b53218ef4c1024c1315c3361be59830cbc88308b4ea088d1efe3755ebad

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pRmH8et_SYzCYFyFeXuTEzdT.exe
MD5
ebd92ae870a96ec9eafc5e12b22d0caa

SHA1
a000562844a49fe6c226d74ef23b7ffef7f7ed10

SHA256
bf3cb3479ba2238dda49a220bfa875b399a3e37149e29a2d5762bf81f43276c7

SHA512
5c5ed2b131818dabb7c5a47a2f4a3631ae0c11b577d34dc208bb5a0c3a2c6d8dbc1d74920b899082b31f27c51e73b969fe7c0fc68ec83b5b294565082440d301

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pRmH8et_SYzCYFyFeXuTEzdT.exe
MD5
ebd92ae870a96ec9eafc5e12b22d0caa

SHA1
a000562844a49fe6c226d74ef23b7ffef7f7ed10

SHA256
bf3cb3479ba2238dda49a220bfa875b399a3e37149e29a2d5762bf81f43276c7

SHA512
5c5ed2b131818dabb7c5a47a2f4a3631ae0c11b577d34dc208bb5a0c3a2c6d8dbc1d74920b899082b31f27c51e73b969fe7c0fc68ec83b5b294565082440d301

Download Submit
C:\Users\Admin\Pictures\Adobe Films\sW6yBfbMVK33sD3kzI4xIvrl.exe
MD5
c0fe94a584c658026552ae848edbfd84

SHA1
507c9ae16bb5bebd5b072f09aa097807bb5665ff

SHA256
5340c47a07719d1db92de4786679247876e2aa0197b14fc24a9f7292d0c38880

SHA512
8d9f1976ede385f1b51664c9e9b31cbcf1a7f3347ca7794038d88c7d274ee50aa1513f5bd9c0c1974bca2f6982df860bb36886c60a3f59297fe97086d5c3a620

Download Submit
C:\Users\Admin\Pictures\Adobe Films\sW6yBfbMVK33sD3kzI4xIvrl.exe
MD5
c0fe94a584c658026552ae848edbfd84

SHA1
507c9ae16bb5bebd5b072f09aa097807bb5665ff

SHA256
5340c47a07719d1db92de4786679247876e2aa0197b14fc24a9f7292d0c38880

SHA512
8d9f1976ede385f1b51664c9e9b31cbcf1a7f3347ca7794038d88c7d274ee50aa1513f5bd9c0c1974bca2f6982df860bb36886c60a3f59297fe97086d5c3a620

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
memory/360-251-0x00000000023F4000-0x0000000002417000-memory.dmp

Filesize
140KB

Download
memory/360-157-0x0000000006E70000-0x0000000006E82000-memory.dmp

Filesize
72KB

Download
memory/360-266-0x00000000025F4000-0x00000000025F6000-memory.dmp

Filesize
8KB

Download
memory/360-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/360-263-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/360-162-0x0000000006FA0000-0x0000000006FDC000-memory.dmp

Filesize
240KB

Download
memory/360-159-0x0000000006E90000-0x0000000006F9A000-memory.dmp

Filesize
1.0MB

Download
memory/360-262-0x00000000717AE000-0x00000000717AF000-memory.dmp

Filesize
4KB

Download
memory/360-156-0x0000000007470000-0x0000000007A88000-memory.dmp

Filesize
6.1MB

Download
memory/360-155-0x00000000068A0000-0x0000000006E44000-memory.dmp

Filesize
5.6MB

Download
memory/360-252-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/360-264-0x00000000025F2000-0x00000000025F3000-memory.dmp

Filesize
4KB

Download
memory/360-144-0x00000000023F4000-0x0000000002417000-memory.dmp

Filesize
140KB

Download
memory/360-265-0x00000000025F3000-0x00000000025F4000-memory.dmp

Filesize
4KB

Download
memory/424-255-0x0000000003CC0000-0x0000000003E7D000-memory.dmp

Filesize
1.7MB

Download
memory/760-221-0x0000000000980000-0x0000000000B37000-memory.dmp

Filesize
1.7MB

Download
memory/760-225-0x0000000076920000-0x0000000076B35000-memory.dmp

Filesize
2.1MB

Download
memory/760-283-0x00000000717AE000-0x00000000717AF000-memory.dmp

Filesize
4KB

Download
memory/760-275-0x0000000000982000-0x00000000009B7000-memory.dmp

Filesize
212KB

Download
memory/760-274-0x0000000002F50000-0x0000000002F96000-memory.dmp

Filesize
280KB

Download
memory/760-278-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/760-228-0x0000000000980000-0x0000000000B37000-memory.dmp

Filesize
1.7MB

Download
memory/760-301-0x0000000076BF0000-0x00000000771A3000-memory.dmp

Filesize
5.7MB

Download
memory/760-231-0x0000000074530000-0x00000000745B9000-memory.dmp

Filesize
548KB

Download
memory/760-220-0x0000000000980000-0x0000000000B37000-memory.dmp

Filesize
1.7MB

Download
memory/760-230-0x0000000000980000-0x0000000000B37000-memory.dmp

Filesize
1.7MB

Download
memory/760-223-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/1164-245-0x0000000003270000-0x0000000003285000-memory.dmp

Filesize
84KB

Download
memory/1288-135-0x00007FF954633000-0x00007FF954635000-memory.dmp

Filesize
8KB

Download
memory/1288-132-0x0000000000840000-0x0000000000862000-memory.dmp

Filesize
136KB

Download
memory/1936-286-0x0000000076920000-0x0000000076B35000-memory.dmp

Filesize
2.1MB

Download
memory/1936-298-0x0000000074530000-0x00000000745B9000-memory.dmp

Filesize
548KB

Download
memory/1936-281-0x00000000001D2000-0x0000000000207000-memory.dmp

Filesize
212KB

Download
memory/1936-280-0x00000000001D0000-0x0000000000392000-memory.dmp

Filesize
1.8MB

Download
memory/1936-303-0x0000000076BF0000-0x00000000771A3000-memory.dmp

Filesize
5.7MB

Download
memory/1936-282-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/1936-277-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/2152-284-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/2212-210-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/2212-270-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/2212-299-0x0000000076BF0000-0x00000000771A3000-memory.dmp

Filesize
5.7MB

Download
memory/2212-222-0x0000000074530000-0x00000000745B9000-memory.dmp

Filesize
548KB

Download
memory/2212-219-0x0000000000C50000-0x0000000000E81000-memory.dmp

Filesize
2.2MB

Download
memory/2212-267-0x0000000000C52000-0x0000000000C88000-memory.dmp

Filesize
216KB

Download
memory/2212-261-0x0000000003050000-0x0000000003096000-memory.dmp

Filesize
280KB

Download
memory/2212-209-0x0000000000C50000-0x0000000000E81000-memory.dmp

Filesize
2.2MB

Download
memory/2212-213-0x0000000076920000-0x0000000076B35000-memory.dmp

Filesize
2.1MB

Download
memory/2212-273-0x00000000717AE000-0x00000000717AF000-memory.dmp

Filesize
4KB

Download
memory/2424-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2424-167-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2424-166-0x0000000002344000-0x000000000234C000-memory.dmp

Filesize
32KB

Download
memory/2424-150-0x0000000002344000-0x000000000234C000-memory.dmp

Filesize
32KB

Download
memory/2536-177-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/2536-176-0x00000000027F8000-0x0000000002C35000-memory.dmp

Filesize
4.2MB

Download
memory/2564-237-0x00000000004F0000-0x00000000008B3000-memory.dmp

Filesize
3.8MB

Download
memory/2564-239-0x00000000004F0000-0x00000000008B3000-memory.dmp

Filesize
3.8MB

Download
memory/2656-246-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2656-243-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3008-233-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3008-238-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3032-249-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/3032-250-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/3180-229-0x0000000074530000-0x00000000745B9000-memory.dmp

Filesize
548KB

Download
memory/3180-218-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/3180-214-0x00000000008E0000-0x00000000009D4000-memory.dmp

Filesize
976KB

Download
memory/3180-279-0x00000000717AE000-0x00000000717AF000-memory.dmp

Filesize
4KB

Download
memory/3180-224-0x0000000076920000-0x0000000076B35000-memory.dmp

Filesize
2.1MB

Download
memory/3180-272-0x00000000008E2000-0x0000000000915000-memory.dmp

Filesize
204KB

Download
memory/3180-226-0x00000000008E0000-0x00000000009D4000-memory.dmp

Filesize
976KB

Download
memory/3180-300-0x0000000076BF0000-0x00000000771A3000-memory.dmp

Filesize
5.7MB

Download
memory/3180-227-0x00000000008E0000-0x00000000009D4000-memory.dmp

Filesize
976KB

Download
memory/3180-276-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/3180-271-0x0000000002EE0000-0x0000000002F26000-memory.dmp

Filesize
280KB

Download
memory/3180-217-0x00000000008E0000-0x00000000009D4000-memory.dmp

Filesize
976KB

Download
memory/3568-234-0x00000000007A0000-0x00000000007A9000-memory.dmp

Filesize
36KB

Download
memory/3568-235-0x00000000007B0000-0x00000000007B9000-memory.dmp

Filesize
36KB

Download
memory/4028-269-0x00000000717AE000-0x00000000717AF000-memory.dmp

Filesize
4KB

Download
memory/4028-215-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/4324-232-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/4324-236-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/4324-268-0x00000000717AE000-0x00000000717AF000-memory.dmp

Filesize
4KB

Download
memory/4324-216-0x0000000000E20000-0x0000000000EEE000-memory.dmp

Filesize
824KB

Download
memory/4332-171-0x00000000028A6000-0x0000000002CE3000-memory.dmp

Filesize
4.2MB

Download
memory/4332-172-0x0000000002CF0000-0x0000000003617000-memory.dmp

Filesize
9.2MB

Download
memory/4332-173-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/4484-240-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4484-241-0x00000000009B1000-0x0000000000A01000-memory.dmp

Filesize
320KB

Download
memory/4484-242-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4484-256-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4540-296-0x0000000074530000-0x00000000745B9000-memory.dmp

Filesize
548KB

Download
memory/4540-260-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4540-259-0x00000000717AE000-0x00000000717AF000-memory.dmp

Filesize
4KB

Download
memory/4540-247-0x0000000000BD0000-0x0000000000D63000-memory.dmp

Filesize
1.6MB

Download
memory/4540-258-0x0000000000BD2000-0x0000000000C07000-memory.dmp

Filesize
212KB

Download
memory/4540-248-0x0000000000BD2000-0x0000000000C07000-memory.dmp

Filesize
212KB

Download
memory/4540-257-0x0000000076920000-0x0000000076B35000-memory.dmp

Filesize
2.1MB

Download
memory/4540-244-0x0000000000B80000-0x0000000000BC6000-memory.dmp

Filesize
280KB

Download
memory/4540-254-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4540-302-0x0000000076BF0000-0x00000000771A3000-memory.dmp

Filesize
5.7MB

Download