neshta | 334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a

Analysis

max time kernel
152s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Size

392KB
MD5

e93590ec419d167842a3c0c8532fa56e
SHA1

fbbd693044fa478a7e76def68c158bc5ba2b9054
SHA256

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a
SHA512

ef9b10430e3093d64519091b9375d9d04af19a7d7361157cd484d315b3c75a4bf99a27f4ac2e2c8d0140e0ce0437a6b33556b52cce6b83bc132494142cb7a7f8
SSDEEP

6144:k9nZEPD78jA9aNGY9i81SV2K2d6Or989IwfvyvbAxXUtx/qVj:4Z+8d3S5ycUej

Score

10^/10

neshta nymaim privateloader redline smokeloader 1 cloudperse backdoor discovery evasion infostealer loader main persistence spyware stealer trojan

Malware Config

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

redline

Botnet

80.76.51.172:19241

Attributes

auth_value
4b711fa6f9a5187b40500266349c0baf

Extracted

Family

redline

Botnet

CloudPerse

151.80.89.227:45878

Attributes

auth_value
514a51d4bb80c5d1bff4c48bb2a7438f

Extracted

Family

nymaim

45.15.156.54

85.31.46.167

Signatures

Detect Neshta payload 13 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-168-0x0000000000220000-0x0000000000229000-memory.dmp	family_smokeloader
behavioral1/memory/1748-200-0x0000000000220000-0x0000000000229000-memory.dmp	family_smokeloader

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\ADOBEF~1\QQF8GV~1.EXE	family_redline
C:\Users\Admin\Pictures\Adobe Films\qQf8gV7ZmnMqHhL7Bhqu_IhR.exe	family_redline
\Users\Admin\Pictures\Adobe Films\qQf8gV7ZmnMqHhL7Bhqu_IhR.exe	family_redline
behavioral1/memory/1876-185-0x0000000000900000-0x0000000000928000-memory.dmp	family_redline
behavioral1/memory/2996-228-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/2996-229-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/2996-230-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/2996-231-0x000000000042214A-mapping.dmp	family_redline
behavioral1/memory/2996-233-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/2996-236-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 34 IoCs

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comQQF8GV~1.EXEQMU_E8~1.EXE1OBHLQ~1.EXESY1GTY~1.EXE78_QUS~1.EXEOYGH1M~1.EXENEZXPJ~1.EXEATP9LO~1.EXEOE_BXS~1.EXEBAOLXW~1.EXETWQUDI~1.EXEEH_GUF~1.EXEis-EKJER.tmpBAOLXW~1.tmpsvchost.comsvchost.comejsearcher53.exeTex.exe.pifRugs.exe.pifANSWER~1.EXExvUzZghBVv.exe

pid	process
1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
1400	svchost.com
1752	svchost.com
1668	svchost.com
568	svchost.com
1476	svchost.com
1196	svchost.com
1484	svchost.com
764	svchost.com
1872	svchost.com
1108	svchost.com
1200	svchost.com
2040	svchost.com
1876	QQF8GV~1.EXE
1048	QMU_E8~1.EXE
2068	1OBHLQ~1.EXE
1396	SY1GTY~1.EXE
1012	78_QUS~1.EXE
596	OYGH1M~1.EXE
1748	NEZXPJ~1.EXE
1640	ATP9LO~1.EXE
2056	OE_BXS~1.EXE
2112	BAOLXW~1.EXE
2124	TWQUDI~1.EXE
2148	EH_GUF~1.EXE
2248	is-EKJER.tmp
2324	BAOLXW~1.tmp
2432	svchost.com
2532	svchost.com
2692	ejsearcher53.exe
2876	Tex.exe.pif
2896	Rugs.exe.pif
3048	ANSWER~1.EXE
1752	xvUzZghBVv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

Loads dropped DLL 64 IoCs

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

pid	process
784	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
784	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
1400	svchost.com
764	svchost.com
1484	svchost.com
1484	svchost.com
1108	svchost.com
1108	svchost.com
1108	svchost.com
1200	svchost.com
1200	svchost.com
1200	svchost.com
1200	svchost.com
568	svchost.com
1400	svchost.com
1200	svchost.com
1752	svchost.com
1752	svchost.com
1752	svchost.com
1752	svchost.com
1752	svchost.com
1752	svchost.com
2040	svchost.com
2040	svchost.com
2040	svchost.com
2040	svchost.com
2040	svchost.com
2040	svchost.com
2040	svchost.com
1108	svchost.com
1108	svchost.com
1484	svchost.com
764	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1668	svchost.com
1196	svchost.com
1196	svchost.com
1196	svchost.com
1196	svchost.com
1196	svchost.com
1196	svchost.com
1196	svchost.com
1476	svchost.com
1476	svchost.com
1476	svchost.com
1476	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OYGH1M~1.EXE78_QUS~1.EXETWQUDI~1.EXESY1GTY~1.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	OYGH1M~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	OYGH1M~1.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	78_QUS~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	78_QUS~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\LOLPA4DESK = "C:\\Program Files (x86)\\ClipManagerP0\\ClipManager_Svc.exe"	TWQUDI~1.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	SY1GTY~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SY1GTY~1.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ipinfo.io
12 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

ATP9LO~1.EXE

description pid process target process

PID 1640 set thread context of 2996 1640 ATP9LO~1.EXE vbc.exe

flow	ioc
11	ipinfo.io
12	ipinfo.io

description	pid	process	target process
PID 1640 set thread context of 2996	1640	ATP9LO~1.EXE	vbc.exe

Drops file in Program Files directory 64 IoCs

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exesvchost.comis-EKJER.tmpTWQUDI~1.EXE

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File created	C:\Program Files (x86)\ejSearcher\is-Q1QKN.tmp	is-EKJER.tmp
File opened for modification	C:\Program Files (x86)\ejSearcher\unins000.dat	is-EKJER.tmp
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe	TWQUDI~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File created	C:\Program Files (x86)\ejSearcher\is-LRDNU.tmp	is-EKJER.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File created	C:\Program Files (x86)\ejSearcher\is-4K116.tmp	is-EKJER.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File created	C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe	TWQUDI~1.EXE
File created	C:\Program Files (x86)\ejSearcher\is-R92PM.tmp	is-EKJER.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File created	C:\Program Files (x86)\ejSearcher\is-II3LI.tmp	is-EKJER.tmp
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\Program Files (x86)\ejSearcher\ejsearcher53.exe	is-EKJER.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File created	C:\Program Files (x86)\ejSearcher\unins000.dat	is-EKJER.tmp
File created	C:\Program Files (x86)\ejSearcher\is-52EEI.tmp	is-EKJER.tmp

Drops file in Windows directory 29 IoCs

Processes:

svchost.comsvchost.com334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NEZXPJ~1.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NEZXPJ~1.EXE
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NEZXPJ~1.EXE
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NEZXPJ~1.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2744 tasklist.exe
2440 tasklist.exe
2456 tasklist.exe
2772 tasklist.exe

pid	process
2744	tasklist.exe
2440	tasklist.exe
2456	tasklist.exe
2772	tasklist.exe

Modifies registry class 1 IoCs

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2912 PING.EXE
2928 PING.EXE
1204 PING.EXE
1076 PING.EXE

pid	process
2912	PING.EXE
2928	PING.EXE
1204	PING.EXE
1076	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exeNEZXPJ~1.EXETex.exe.pifRugs.exe.pifejsearcher53.exe

pid	process
1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
1748	NEZXPJ~1.EXE
1748	NEZXPJ~1.EXE
1360
1360
1360
1360
1360
1360
1360
2876	Tex.exe.pif
1360
2896	Rugs.exe.pif
2876	Tex.exe.pif
1360
2896	Rugs.exe.pif
1360
2876	Tex.exe.pif
1360
2896	Rugs.exe.pif
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
2692	ejsearcher53.exe
2692	ejsearcher53.exe
2692	ejsearcher53.exe
1360
1360
1360
1360

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

NEZXPJ~1.EXE

pid process

1748 NEZXPJ~1.EXE

pid	process
1748	NEZXPJ~1.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exeANSWER~1.EXEQQF8GV~1.EXE

description	pid	process
Token: SeDebugPrivilege	2440	tasklist.exe
Token: SeDebugPrivilege	2456	tasklist.exe
Token: SeDebugPrivilege	2744	tasklist.exe
Token: SeDebugPrivilege	2772	tasklist.exe
Token: SeShutdownPrivilege	1360
Token: SeShutdownPrivilege	1360
Token: SeDebugPrivilege	3048	ANSWER~1.EXE
Token: SeDebugPrivilege	1876	QQF8GV~1.EXE

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

Tex.exe.pifRugs.exe.pif

pid process

2876 Tex.exe.pif
1360
1360
1360
1360
2876 Tex.exe.pif
2876 Tex.exe.pif
1360
1360
2896 Rugs.exe.pif
1360
1360
2896 Rugs.exe.pif
2896 Rugs.exe.pif
1360
1360
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Tex.exe.pifRugs.exe.pif

pid process

2876 Tex.exe.pif
2876 Tex.exe.pif
2876 Tex.exe.pif
2896 Rugs.exe.pif
2896 Rugs.exe.pif
2896 Rugs.exe.pif

pid	process
2876	Tex.exe.pif
1360
1360
1360
1360
2876	Tex.exe.pif
2876	Tex.exe.pif
1360
1360
2896	Rugs.exe.pif
1360
1360
2896	Rugs.exe.pif
2896	Rugs.exe.pif
1360
1360

pid	process
2876	Tex.exe.pif
2876	Tex.exe.pif
2876	Tex.exe.pif
2896	Rugs.exe.pif
2896	Rugs.exe.pif
2896	Rugs.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exesvchost.comsvchost.comsvchost.com

description	pid	process	target process
PID 784 wrote to memory of 1984	784	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
PID 784 wrote to memory of 1984	784	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
PID 784 wrote to memory of 1984	784	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
PID 784 wrote to memory of 1984	784	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
PID 1984 wrote to memory of 1752	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1668	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1752	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1668	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1752	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1668	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1752	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1668	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 568	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1400	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 568	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 568	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 568	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1400	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1400	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1400	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1476	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1476	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1476	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1476	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1200	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1200	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1200	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1200	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 2040	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 2040	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 2040	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 2040	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1108	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1108	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1108	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1108	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1872	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1872	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1872	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1872	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 764	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 764	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 764	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 764	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1196	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1196	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1196	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1196	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1484	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1484	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1484	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1984 wrote to memory of 1484	1984	334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe	svchost.com
PID 1200 wrote to memory of 1012	1200	svchost.com	78_QUS~1.EXE
PID 1200 wrote to memory of 1012	1200	svchost.com	78_QUS~1.EXE
PID 1200 wrote to memory of 1012	1200	svchost.com	78_QUS~1.EXE
PID 1200 wrote to memory of 1012	1200	svchost.com	78_QUS~1.EXE
PID 568 wrote to memory of 596	568	svchost.com	OYGH1M~1.EXE
PID 568 wrote to memory of 596	568	svchost.com	OYGH1M~1.EXE
PID 568 wrote to memory of 596	568	svchost.com	OYGH1M~1.EXE
PID 568 wrote to memory of 596	568	svchost.com	OYGH1M~1.EXE
PID 2040 wrote to memory of 1876	2040	svchost.com	QQF8GV~1.EXE
PID 2040 wrote to memory of 1876	2040	svchost.com	QQF8GV~1.EXE
PID 2040 wrote to memory of 1876	2040	svchost.com	QQF8GV~1.EXE
PID 2040 wrote to memory of 1876	2040	svchost.com	QQF8GV~1.EXE

C:\Users\Admin\AppData\Local\Temp\334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
"C:\Users\Admin\AppData\Local\Temp\334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\3582-490\334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\ATP9LO~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1484

C:\Users\Admin\Pictures\ADOBEF~1\ATP9LO~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\ATP9LO~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
PID:2996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\BAOLXW~1.EXE" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1196

C:\Users\Admin\Pictures\ADOBEF~1\BAOLXW~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\BAOLXW~1.EXE /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
4⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\is-P3O2M.tmp\BAOLXW~1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P3O2M.tmp\BAOLXW~1.tmp" /SL5="$30128,11860388,791040,C:\Users\Admin\Pictures\ADOBEF~1\BAOLXW~1.EXE" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
5⤵
- Executes dropped EXE
PID:2324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\OE_BXS~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:764

C:\Users\Admin\Pictures\ADOBEF~1\OE_BXS~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\OE_BXS~1.EXE
4⤵
- Executes dropped EXE
PID:2056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\control.exe" .\G7KM.F
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2432

C:\Windows\SysWOW64\control.exe
C:\Windows\System32\control.exe .\G7KM.F
6⤵
PID:2512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G7KM.F
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2532

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL .\G7KM.F
8⤵
PID:2560

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\G7KM.F
9⤵
PID:1688

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\G7KM.F
10⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\EH_GUF~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1872

C:\Users\Admin\Pictures\ADOBEF~1\EH_GUF~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\EH_GUF~1.EXE
4⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\Temp\is-9HQT4.tmp\is-EKJER.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9HQT4.tmp\is-EKJER.tmp" /SL4 $7011E "C:\Users\Admin\Pictures\ADOBEF~1\EH_GUF~1.EXE" 2258446 52736
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2248

C:\Program Files (x86)\ejSearcher\ejsearcher53.exe
"C:\Program Files (x86)\ejSearcher\ejsearcher53.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\xvUzZghBVv.exe
7⤵
- Executes dropped EXE
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\NEZXPJ~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1108

C:\Users\Admin\Pictures\ADOBEF~1\NEZXPJ~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\NEZXPJ~1.EXE
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\QQF8GV~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\Pictures\ADOBEF~1\QQF8GV~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\QQF8GV~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\78_QUS~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\Pictures\ADOBEF~1\78_QUS~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\78_QUS~1.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANSWER~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANSWER~1.EXE
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\TWQUDI~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1476

C:\Users\Admin\Pictures\ADOBEF~1\TWQUDI~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\TWQUDI~1.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\OYGH1M~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\Pictures\ADOBEF~1\OYGH1M~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\OYGH1M~1.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:596

C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
5⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Florist.hopp & ping -n 5 localhost
5⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:2376

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
7⤵
PID:2480

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
7⤵
PID:2756

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^iwvLDqTF$" Votes.hopp
7⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tex.exe.pif
Tex.exe.pif l
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
7⤵
- Runs ping.exe
PID:2928

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:1204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\QMU_E8~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1400

C:\Users\Admin\Pictures\ADOBEF~1\QMU_E8~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\QMU_E8~1.EXE
4⤵
- Executes dropped EXE
PID:1048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\SY1GTY~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1752

C:\Users\Admin\Pictures\ADOBEF~1\SY1GTY~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\SY1GTY~1.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1396

C:\Windows\SysWOW64\choice.exe
choice 3489834785637788484436574374756367847583
5⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Breaks.mil & ping -n 5 localhost
5⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:2316

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
7⤵
PID:2468

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
7⤵
PID:2788

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^toLyftxzuSdNZ$" Battlefield.mil
7⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rugs.exe.pif
Rugs.exe.pif f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
7⤵
- Runs ping.exe
PID:2912

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:1076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ADOBEF~1\1OBHLQ~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1668

C:\Users\Admin\Pictures\ADOBEF~1\1OBHLQ~1.EXE
C:\Users\Admin\Pictures\ADOBEF~1\1OBHLQ~1.EXE
4⤵
- Executes dropped EXE
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Scripting

T1064

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\1OBHLQ~1.EXE
Filesize
562KB

MD5
78f3c5525c16966443b90959685dc52f

SHA1
25348a49322803af781da0437c3203b7e50bab71

SHA256
0b02ee845979ac47a24ca742ca8ff6c6cea8cc6f55d89f84029050cc52ce6df8

SHA512
fb52f1d3b38b2cba69b6e7805bc4d1f25b70d58e78c461936166a330771346d5fa9657ca5045beb45803c6a043a90e080eefcf2531cd9b1473501df8b947c2c3

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\78_QUS~1.EXE
Filesize
457KB

MD5
9ecafa0a55d800f4293093989b90d595

SHA1
4b7388775266bf7b9edd19ff456f9dcc5a6bcd06

SHA256
914be79c80638787a90cb4d7598ad60a8f39634cb4858489bde36c0e32e235aa

SHA512
d43417b47641d815b99687c3418abb0fad2963f7466eac304d596ac61099f09ba1db3fce3a2b7e15a71f29e27476ef579b9e9200778d277acc470c26bc602b49

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\ATP9LO~1.EXE
Filesize
183KB

MD5
82b63df4d6b7bc6ede7b9d7dc1f3ca04

SHA1
536e40c3b9c28f93ac266f8568db8c75e9dae513

SHA256
dcf9c213add0b709e865890f479d0acbc3c5e6a768c1b7357fcb763d04a6c64c

SHA512
31c546c369968586a5bb19468ba004e18da8bcc2308f635e82972c8334d456ee03d8df384807c72079251f4b55e6af739d29b814a9a3f3f9ef7f8932c6e3e408

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\NEZXPJ~1.EXE
Filesize
230KB

MD5
5c8110031b9762388bb004f08388154d

SHA1
a90b0e5eb88d55c9f2febb32607019a20c089c47

SHA256
45d4566be2e73d5414dc2aa682f90344db344e70173d0fdb1af19d999b8592b3

SHA512
b496e276e8f92249d20705435def3b894bcbad5f4c7f036dd33cc4919b25a27f3ca896c0d1ebf1a096d37fa5b963f9b526235fda08e70cdd729bc100e0e05981

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\OE_BXS~1.EXE
Filesize
1.8MB

MD5
07d8049311419dd1abb29c7482144d89

SHA1
dd6b96ed677d2fbf5b3482b4da7b88f37515ce7a

SHA256
a722b359e206f7b605be6799fa78e1e68592da847de1f65e2821ad3b48cdd8fd

SHA512
d1ed8bc6f02abd35765615921e90258fa4b19660eefa0ccf1ead28f074abc99c28adecc573954036fd2ab2c9375e92af75c375a34f79e50152976837364aac61

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\OYGH1M~1.EXE
Filesize
941KB

MD5
2092922a347423590e96cfd6e3229f7a

SHA1
141d4659bbad7b2fb8cf04bf8c1c3d2bcd4b720e

SHA256
85e5b6c3109f53edf81c55aef3f08cf321e350c7353a5d9774f927f77052bf2a

SHA512
54e235b2f181f221fc3927080f38b70a2de1844955640edc8dc4af88b258ee7acdd0e81ae06c2255ef4927ba81da2d1674aa6ec784f05659acb2fda19c08aeab

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\QMU_E8~1.EXE
Filesize
7.3MB

MD5
8bb3b16e124a75a48c684eb395995322

SHA1
cdc793f6503b1ae1a072abab0870a24119afab9a

SHA256
f347aa64f4fff81704e49522c50fa1a40c75fe3293d5563ae97035270afd19ae

SHA512
63b30da3d3124530bd3d001d9fb30a2c91dc29f6d453818103294f0172529e632c128f0f5c724051131fb520f8e8c6bb687a52ee8af4992c5d79170f97cbbe08

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\QQF8GV~1.EXE
Filesize
137KB

MD5
3e7476424f53cb86bde748a440f853a6

SHA1
8b5a86f7005196149a662df06ee7767be6bd403f

SHA256
88f86bd0c315b807570a8330266fe9c8f04f04cef5c06de8f9f82eda57f10531

SHA512
09b9b8f7343f74023e3978d6adf9e5d0d4704e0e025c8f7810584b1a35eb668ca1b2ea00478576160e2c59ccd27cd96c6afa2c8970718c236d0aa37dd527a77c

Download Submit
C:\Users\Admin\Pictures\ADOBEF~1\SY1GTY~1.EXE
Filesize
784KB

MD5
fb0a9f453cc6cf88013aadd259a0d9be

SHA1
ce1bdf4c9847f106b45d9fe1ee08fbf5dc1b4901

SHA256
bc0537fefe3aa3f33b174df04a1b1e0d1d837f91c0350b0f5a9cacfcde5f9ef5

SHA512
0ff9b366a7ed33d58d2204c298ef8757898788d25b806006d803aca9dc9ceeec1968e18b328d33859ae862ee527f8145b0868577f535ecdedb8d50f64486ac16

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qQf8gV7ZmnMqHhL7Bhqu_IhR.exe
Filesize
137KB

MD5
3e7476424f53cb86bde748a440f853a6

SHA1
8b5a86f7005196149a662df06ee7767be6bd403f

SHA256
88f86bd0c315b807570a8330266fe9c8f04f04cef5c06de8f9f82eda57f10531

SHA512
09b9b8f7343f74023e3978d6adf9e5d0d4704e0e025c8f7810584b1a35eb668ca1b2ea00478576160e2c59ccd27cd96c6afa2c8970718c236d0aa37dd527a77c

Download Submit
C:\Windows\directx.sys
Filesize
282B

MD5
8309507b0bb85af19457b7d0c6693c16

SHA1
f70fc18364a3d7710a4cfd4c212b617fdb77231c

SHA256
3b782cde35c26cb396ab37d4b8ef2f9364dcae5b02324403bc5c3c56e6acc879

SHA512
33d5e4b8f4f6628de865e1d7412e5eb08f844e639431a42c8bbec432ed46721ad79d6427d2fcb7a0ff533eeccca8f043a890932a043d7961c227d4d16d2edb59

Download Submit
C:\Windows\directx.sys
Filesize
329B

MD5
9f3c6ecb13d88df690e534e6ff4f24d2

SHA1
5d65ec6882591d08f1f94a588a0df81f1e729cfd

SHA256
5eab5ae004276ae7b98cdd289119d8e091732e25ff39160773c520632e56a47b

SHA512
f01af0060f310d1f17b2cae7561a83e149622a62966e8447e61811586f9eac199541f751a4537168b311438a98c98a122eb63dc5abef16e946bbb9350649d7ee

Download Submit
C:\Windows\directx.sys
Filesize
329B

MD5
9f3c6ecb13d88df690e534e6ff4f24d2

SHA1
5d65ec6882591d08f1f94a588a0df81f1e729cfd

SHA256
5eab5ae004276ae7b98cdd289119d8e091732e25ff39160773c520632e56a47b

SHA512
f01af0060f310d1f17b2cae7561a83e149622a62966e8447e61811586f9eac199541f751a4537168b311438a98c98a122eb63dc5abef16e946bbb9350649d7ee

Download Submit
C:\Windows\directx.sys
Filesize
329B

MD5
9f3c6ecb13d88df690e534e6ff4f24d2

SHA1
5d65ec6882591d08f1f94a588a0df81f1e729cfd

SHA256
5eab5ae004276ae7b98cdd289119d8e091732e25ff39160773c520632e56a47b

SHA512
f01af0060f310d1f17b2cae7561a83e149622a62966e8447e61811586f9eac199541f751a4537168b311438a98c98a122eb63dc5abef16e946bbb9350649d7ee

Download Submit
C:\Windows\directx.sys
Filesize
329B

MD5
9f3c6ecb13d88df690e534e6ff4f24d2

SHA1
5d65ec6882591d08f1f94a588a0df81f1e729cfd

SHA256
5eab5ae004276ae7b98cdd289119d8e091732e25ff39160773c520632e56a47b

SHA512
f01af0060f310d1f17b2cae7561a83e149622a62966e8447e61811586f9eac199541f751a4537168b311438a98c98a122eb63dc5abef16e946bbb9350649d7ee

Download Submit
C:\Windows\directx.sys
Filesize
329B

MD5
9f3c6ecb13d88df690e534e6ff4f24d2

SHA1
5d65ec6882591d08f1f94a588a0df81f1e729cfd

SHA256
5eab5ae004276ae7b98cdd289119d8e091732e25ff39160773c520632e56a47b

SHA512
f01af0060f310d1f17b2cae7561a83e149622a62966e8447e61811586f9eac199541f751a4537168b311438a98c98a122eb63dc5abef16e946bbb9350649d7ee

Download Submit
C:\Windows\directx.sys
Filesize
329B

MD5
9f3c6ecb13d88df690e534e6ff4f24d2

SHA1
5d65ec6882591d08f1f94a588a0df81f1e729cfd

SHA256
5eab5ae004276ae7b98cdd289119d8e091732e25ff39160773c520632e56a47b

SHA512
f01af0060f310d1f17b2cae7561a83e149622a62966e8447e61811586f9eac199541f751a4537168b311438a98c98a122eb63dc5abef16e946bbb9350649d7ee

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f3c074be013e4f07e318ac9f67e78890

SHA1
701203648f868ef138cad15593b3a595a83134bb

SHA256
fe1353098dd897199bf36401fca1281facb245b0fba1250a7ce69455cfc715b7

SHA512
732b370e76bb1093ba6eefd4cbbb25075ccaefb063e2e1d397fec42257addb680c4c108bb5fecd96ca7d942bb367fcfb390bb80c8ad70a6292fcd1f611ad73fc

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\334f814c3b403562e5bd6cc66d2ace48d97e2e1bab309d9a15de29c26219371a.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
\Users\Admin\Pictures\Adobe Films\1OBHlQ5Cxv0HWx5nJaDLb7BR.exe
Filesize
562KB

MD5
78f3c5525c16966443b90959685dc52f

SHA1
25348a49322803af781da0437c3203b7e50bab71

SHA256
0b02ee845979ac47a24ca742ca8ff6c6cea8cc6f55d89f84029050cc52ce6df8

SHA512
fb52f1d3b38b2cba69b6e7805bc4d1f25b70d58e78c461936166a330771346d5fa9657ca5045beb45803c6a043a90e080eefcf2531cd9b1473501df8b947c2c3

Download Submit
\Users\Admin\Pictures\Adobe Films\1OBHlQ5Cxv0HWx5nJaDLb7BR.exe
Filesize
562KB

MD5
78f3c5525c16966443b90959685dc52f

SHA1
25348a49322803af781da0437c3203b7e50bab71

SHA256
0b02ee845979ac47a24ca742ca8ff6c6cea8cc6f55d89f84029050cc52ce6df8

SHA512
fb52f1d3b38b2cba69b6e7805bc4d1f25b70d58e78c461936166a330771346d5fa9657ca5045beb45803c6a043a90e080eefcf2531cd9b1473501df8b947c2c3

Download Submit
\Users\Admin\Pictures\Adobe Films\1OBHlQ5Cxv0HWx5nJaDLb7BR.exe
Filesize
562KB

MD5
78f3c5525c16966443b90959685dc52f

SHA1
25348a49322803af781da0437c3203b7e50bab71

SHA256
0b02ee845979ac47a24ca742ca8ff6c6cea8cc6f55d89f84029050cc52ce6df8

SHA512
fb52f1d3b38b2cba69b6e7805bc4d1f25b70d58e78c461936166a330771346d5fa9657ca5045beb45803c6a043a90e080eefcf2531cd9b1473501df8b947c2c3

Download Submit
\Users\Admin\Pictures\Adobe Films\1OBHlQ5Cxv0HWx5nJaDLb7BR.exe
Filesize
562KB

MD5
78f3c5525c16966443b90959685dc52f

SHA1
25348a49322803af781da0437c3203b7e50bab71

SHA256
0b02ee845979ac47a24ca742ca8ff6c6cea8cc6f55d89f84029050cc52ce6df8

SHA512
fb52f1d3b38b2cba69b6e7805bc4d1f25b70d58e78c461936166a330771346d5fa9657ca5045beb45803c6a043a90e080eefcf2531cd9b1473501df8b947c2c3

Download Submit
\Users\Admin\Pictures\Adobe Films\1OBHlQ5Cxv0HWx5nJaDLb7BR.exe
Filesize
562KB

MD5
78f3c5525c16966443b90959685dc52f

SHA1
25348a49322803af781da0437c3203b7e50bab71

SHA256
0b02ee845979ac47a24ca742ca8ff6c6cea8cc6f55d89f84029050cc52ce6df8

SHA512
fb52f1d3b38b2cba69b6e7805bc4d1f25b70d58e78c461936166a330771346d5fa9657ca5045beb45803c6a043a90e080eefcf2531cd9b1473501df8b947c2c3

Download Submit
\Users\Admin\Pictures\Adobe Films\1OBHlQ5Cxv0HWx5nJaDLb7BR.exe
Filesize
562KB

MD5
78f3c5525c16966443b90959685dc52f

SHA1
25348a49322803af781da0437c3203b7e50bab71

SHA256
0b02ee845979ac47a24ca742ca8ff6c6cea8cc6f55d89f84029050cc52ce6df8

SHA512
fb52f1d3b38b2cba69b6e7805bc4d1f25b70d58e78c461936166a330771346d5fa9657ca5045beb45803c6a043a90e080eefcf2531cd9b1473501df8b947c2c3

Download Submit
\Users\Admin\Pictures\Adobe Films\1OBHlQ5Cxv0HWx5nJaDLb7BR.exe
Filesize
562KB

MD5
78f3c5525c16966443b90959685dc52f

SHA1
25348a49322803af781da0437c3203b7e50bab71

SHA256
0b02ee845979ac47a24ca742ca8ff6c6cea8cc6f55d89f84029050cc52ce6df8

SHA512
fb52f1d3b38b2cba69b6e7805bc4d1f25b70d58e78c461936166a330771346d5fa9657ca5045beb45803c6a043a90e080eefcf2531cd9b1473501df8b947c2c3

Download Submit
\Users\Admin\Pictures\Adobe Films\78_qUS4swsCP3w2O5P6zOyHa.exe
Filesize
457KB

MD5
9ecafa0a55d800f4293093989b90d595

SHA1
4b7388775266bf7b9edd19ff456f9dcc5a6bcd06

SHA256
914be79c80638787a90cb4d7598ad60a8f39634cb4858489bde36c0e32e235aa

SHA512
d43417b47641d815b99687c3418abb0fad2963f7466eac304d596ac61099f09ba1db3fce3a2b7e15a71f29e27476ef579b9e9200778d277acc470c26bc602b49

Download Submit
\Users\Admin\Pictures\Adobe Films\78_qUS4swsCP3w2O5P6zOyHa.exe
Filesize
457KB

MD5
9ecafa0a55d800f4293093989b90d595

SHA1
4b7388775266bf7b9edd19ff456f9dcc5a6bcd06

SHA256
914be79c80638787a90cb4d7598ad60a8f39634cb4858489bde36c0e32e235aa

SHA512
d43417b47641d815b99687c3418abb0fad2963f7466eac304d596ac61099f09ba1db3fce3a2b7e15a71f29e27476ef579b9e9200778d277acc470c26bc602b49

Download Submit
\Users\Admin\Pictures\Adobe Films\78_qUS4swsCP3w2O5P6zOyHa.exe
Filesize
457KB

MD5
9ecafa0a55d800f4293093989b90d595

SHA1
4b7388775266bf7b9edd19ff456f9dcc5a6bcd06

SHA256
914be79c80638787a90cb4d7598ad60a8f39634cb4858489bde36c0e32e235aa

SHA512
d43417b47641d815b99687c3418abb0fad2963f7466eac304d596ac61099f09ba1db3fce3a2b7e15a71f29e27476ef579b9e9200778d277acc470c26bc602b49

Download Submit
\Users\Admin\Pictures\Adobe Films\Sy1gTyELuAPk1ZrBeP_tfXMP.exe
Filesize
784KB

MD5
fb0a9f453cc6cf88013aadd259a0d9be

SHA1
ce1bdf4c9847f106b45d9fe1ee08fbf5dc1b4901

SHA256
bc0537fefe3aa3f33b174df04a1b1e0d1d837f91c0350b0f5a9cacfcde5f9ef5

SHA512
0ff9b366a7ed33d58d2204c298ef8757898788d25b806006d803aca9dc9ceeec1968e18b328d33859ae862ee527f8145b0868577f535ecdedb8d50f64486ac16

Download Submit
\Users\Admin\Pictures\Adobe Films\Sy1gTyELuAPk1ZrBeP_tfXMP.exe
Filesize
784KB

MD5
fb0a9f453cc6cf88013aadd259a0d9be

SHA1
ce1bdf4c9847f106b45d9fe1ee08fbf5dc1b4901

SHA256
bc0537fefe3aa3f33b174df04a1b1e0d1d837f91c0350b0f5a9cacfcde5f9ef5

SHA512
0ff9b366a7ed33d58d2204c298ef8757898788d25b806006d803aca9dc9ceeec1968e18b328d33859ae862ee527f8145b0868577f535ecdedb8d50f64486ac16

Download Submit
\Users\Admin\Pictures\Adobe Films\aTp9lo99LozJUmN8x2Jpue12.exe
Filesize
183KB

MD5
82b63df4d6b7bc6ede7b9d7dc1f3ca04

SHA1
536e40c3b9c28f93ac266f8568db8c75e9dae513

SHA256
dcf9c213add0b709e865890f479d0acbc3c5e6a768c1b7357fcb763d04a6c64c

SHA512
31c546c369968586a5bb19468ba004e18da8bcc2308f635e82972c8334d456ee03d8df384807c72079251f4b55e6af739d29b814a9a3f3f9ef7f8932c6e3e408

Download Submit
\Users\Admin\Pictures\Adobe Films\aTp9lo99LozJUmN8x2Jpue12.exe
Filesize
183KB

MD5
82b63df4d6b7bc6ede7b9d7dc1f3ca04

SHA1
536e40c3b9c28f93ac266f8568db8c75e9dae513

SHA256
dcf9c213add0b709e865890f479d0acbc3c5e6a768c1b7357fcb763d04a6c64c

SHA512
31c546c369968586a5bb19468ba004e18da8bcc2308f635e82972c8334d456ee03d8df384807c72079251f4b55e6af739d29b814a9a3f3f9ef7f8932c6e3e408

Download Submit
\Users\Admin\Pictures\Adobe Films\aTp9lo99LozJUmN8x2Jpue12.exe
Filesize
183KB

MD5
82b63df4d6b7bc6ede7b9d7dc1f3ca04

SHA1
536e40c3b9c28f93ac266f8568db8c75e9dae513

SHA256
dcf9c213add0b709e865890f479d0acbc3c5e6a768c1b7357fcb763d04a6c64c

SHA512
31c546c369968586a5bb19468ba004e18da8bcc2308f635e82972c8334d456ee03d8df384807c72079251f4b55e6af739d29b814a9a3f3f9ef7f8932c6e3e408

Download Submit
\Users\Admin\Pictures\Adobe Films\aTp9lo99LozJUmN8x2Jpue12.exe
Filesize
183KB

MD5
82b63df4d6b7bc6ede7b9d7dc1f3ca04

SHA1
536e40c3b9c28f93ac266f8568db8c75e9dae513

SHA256
dcf9c213add0b709e865890f479d0acbc3c5e6a768c1b7357fcb763d04a6c64c

SHA512
31c546c369968586a5bb19468ba004e18da8bcc2308f635e82972c8334d456ee03d8df384807c72079251f4b55e6af739d29b814a9a3f3f9ef7f8932c6e3e408

Download Submit
\Users\Admin\Pictures\Adobe Films\aTp9lo99LozJUmN8x2Jpue12.exe
Filesize
183KB

MD5
82b63df4d6b7bc6ede7b9d7dc1f3ca04

SHA1
536e40c3b9c28f93ac266f8568db8c75e9dae513

SHA256
dcf9c213add0b709e865890f479d0acbc3c5e6a768c1b7357fcb763d04a6c64c

SHA512
31c546c369968586a5bb19468ba004e18da8bcc2308f635e82972c8334d456ee03d8df384807c72079251f4b55e6af739d29b814a9a3f3f9ef7f8932c6e3e408

Download Submit
\Users\Admin\Pictures\Adobe Films\nezxPJu1OrBJBO2YaZIyoSyc.exe
Filesize
230KB

MD5
5c8110031b9762388bb004f08388154d

SHA1
a90b0e5eb88d55c9f2febb32607019a20c089c47

SHA256
45d4566be2e73d5414dc2aa682f90344db344e70173d0fdb1af19d999b8592b3

SHA512
b496e276e8f92249d20705435def3b894bcbad5f4c7f036dd33cc4919b25a27f3ca896c0d1ebf1a096d37fa5b963f9b526235fda08e70cdd729bc100e0e05981

Download Submit
\Users\Admin\Pictures\Adobe Films\nezxPJu1OrBJBO2YaZIyoSyc.exe
Filesize
230KB

MD5
5c8110031b9762388bb004f08388154d

SHA1
a90b0e5eb88d55c9f2febb32607019a20c089c47

SHA256
45d4566be2e73d5414dc2aa682f90344db344e70173d0fdb1af19d999b8592b3

SHA512
b496e276e8f92249d20705435def3b894bcbad5f4c7f036dd33cc4919b25a27f3ca896c0d1ebf1a096d37fa5b963f9b526235fda08e70cdd729bc100e0e05981

Download Submit
\Users\Admin\Pictures\Adobe Films\nezxPJu1OrBJBO2YaZIyoSyc.exe
Filesize
230KB

MD5
5c8110031b9762388bb004f08388154d

SHA1
a90b0e5eb88d55c9f2febb32607019a20c089c47

SHA256
45d4566be2e73d5414dc2aa682f90344db344e70173d0fdb1af19d999b8592b3

SHA512
b496e276e8f92249d20705435def3b894bcbad5f4c7f036dd33cc4919b25a27f3ca896c0d1ebf1a096d37fa5b963f9b526235fda08e70cdd729bc100e0e05981

Download Submit
\Users\Admin\Pictures\Adobe Films\nezxPJu1OrBJBO2YaZIyoSyc.exe
Filesize
230KB

MD5
5c8110031b9762388bb004f08388154d

SHA1
a90b0e5eb88d55c9f2febb32607019a20c089c47

SHA256
45d4566be2e73d5414dc2aa682f90344db344e70173d0fdb1af19d999b8592b3

SHA512
b496e276e8f92249d20705435def3b894bcbad5f4c7f036dd33cc4919b25a27f3ca896c0d1ebf1a096d37fa5b963f9b526235fda08e70cdd729bc100e0e05981

Download Submit
\Users\Admin\Pictures\Adobe Films\nezxPJu1OrBJBO2YaZIyoSyc.exe
Filesize
230KB

MD5
5c8110031b9762388bb004f08388154d

SHA1
a90b0e5eb88d55c9f2febb32607019a20c089c47

SHA256
45d4566be2e73d5414dc2aa682f90344db344e70173d0fdb1af19d999b8592b3

SHA512
b496e276e8f92249d20705435def3b894bcbad5f4c7f036dd33cc4919b25a27f3ca896c0d1ebf1a096d37fa5b963f9b526235fda08e70cdd729bc100e0e05981

Download Submit
\Users\Admin\Pictures\Adobe Films\oYGh1M7pAk78B3S74r52kYUE.exe
Filesize
941KB

MD5
2092922a347423590e96cfd6e3229f7a

SHA1
141d4659bbad7b2fb8cf04bf8c1c3d2bcd4b720e

SHA256
85e5b6c3109f53edf81c55aef3f08cf321e350c7353a5d9774f927f77052bf2a

SHA512
54e235b2f181f221fc3927080f38b70a2de1844955640edc8dc4af88b258ee7acdd0e81ae06c2255ef4927ba81da2d1674aa6ec784f05659acb2fda19c08aeab

Download Submit
\Users\Admin\Pictures\Adobe Films\qQf8gV7ZmnMqHhL7Bhqu_IhR.exe
Filesize
137KB

MD5
3e7476424f53cb86bde748a440f853a6

SHA1
8b5a86f7005196149a662df06ee7767be6bd403f

SHA256
88f86bd0c315b807570a8330266fe9c8f04f04cef5c06de8f9f82eda57f10531

SHA512
09b9b8f7343f74023e3978d6adf9e5d0d4704e0e025c8f7810584b1a35eb668ca1b2ea00478576160e2c59ccd27cd96c6afa2c8970718c236d0aa37dd527a77c

Download Submit
\Users\Admin\Pictures\Adobe Films\qmu_e88jw_eFcHbOjzO809Cw.exe
Filesize
7.3MB

MD5
8bb3b16e124a75a48c684eb395995322

SHA1
cdc793f6503b1ae1a072abab0870a24119afab9a

SHA256
f347aa64f4fff81704e49522c50fa1a40c75fe3293d5563ae97035270afd19ae

SHA512
63b30da3d3124530bd3d001d9fb30a2c91dc29f6d453818103294f0172529e632c128f0f5c724051131fb520f8e8c6bb687a52ee8af4992c5d79170f97cbbe08

Download Submit
\Users\Admin\Pictures\Adobe Films\qmu_e88jw_eFcHbOjzO809Cw.exe
Filesize
7.3MB

MD5
8bb3b16e124a75a48c684eb395995322

SHA1
cdc793f6503b1ae1a072abab0870a24119afab9a

SHA256
f347aa64f4fff81704e49522c50fa1a40c75fe3293d5563ae97035270afd19ae

SHA512
63b30da3d3124530bd3d001d9fb30a2c91dc29f6d453818103294f0172529e632c128f0f5c724051131fb520f8e8c6bb687a52ee8af4992c5d79170f97cbbe08

Download Submit
\Users\Admin\Pictures\Adobe Films\qmu_e88jw_eFcHbOjzO809Cw.exe
Filesize
7.3MB

MD5
8bb3b16e124a75a48c684eb395995322

SHA1
cdc793f6503b1ae1a072abab0870a24119afab9a

SHA256
f347aa64f4fff81704e49522c50fa1a40c75fe3293d5563ae97035270afd19ae

SHA512
63b30da3d3124530bd3d001d9fb30a2c91dc29f6d453818103294f0172529e632c128f0f5c724051131fb520f8e8c6bb687a52ee8af4992c5d79170f97cbbe08

Download Submit
\Users\Admin\Pictures\Adobe Films\qmu_e88jw_eFcHbOjzO809Cw.exe
Filesize
7.3MB

MD5
8bb3b16e124a75a48c684eb395995322

SHA1
cdc793f6503b1ae1a072abab0870a24119afab9a

SHA256
f347aa64f4fff81704e49522c50fa1a40c75fe3293d5563ae97035270afd19ae

SHA512
63b30da3d3124530bd3d001d9fb30a2c91dc29f6d453818103294f0172529e632c128f0f5c724051131fb520f8e8c6bb687a52ee8af4992c5d79170f97cbbe08

Download Submit
\Users\Admin\Pictures\Adobe Films\qmu_e88jw_eFcHbOjzO809Cw.exe
Filesize
7.3MB

MD5
8bb3b16e124a75a48c684eb395995322

SHA1
cdc793f6503b1ae1a072abab0870a24119afab9a

SHA256
f347aa64f4fff81704e49522c50fa1a40c75fe3293d5563ae97035270afd19ae

SHA512
63b30da3d3124530bd3d001d9fb30a2c91dc29f6d453818103294f0172529e632c128f0f5c724051131fb520f8e8c6bb687a52ee8af4992c5d79170f97cbbe08

Download Submit
\Users\Admin\Pictures\Adobe Films\qmu_e88jw_eFcHbOjzO809Cw.exe
Filesize
7.3MB

MD5
8bb3b16e124a75a48c684eb395995322

SHA1
cdc793f6503b1ae1a072abab0870a24119afab9a

SHA256
f347aa64f4fff81704e49522c50fa1a40c75fe3293d5563ae97035270afd19ae

SHA512
63b30da3d3124530bd3d001d9fb30a2c91dc29f6d453818103294f0172529e632c128f0f5c724051131fb520f8e8c6bb687a52ee8af4992c5d79170f97cbbe08

Download Submit
memory/568-65-0x0000000000000000-mapping.dmp

Download
memory/596-144-0x0000000000000000-mapping.dmp

Download
memory/764-72-0x0000000000000000-mapping.dmp

Download
memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1012-125-0x0000000000000000-mapping.dmp

Download
memory/1048-146-0x0000000000000000-mapping.dmp

Download
memory/1076-241-0x0000000000000000-mapping.dmp

Download
memory/1108-70-0x0000000000000000-mapping.dmp

Download
memory/1196-73-0x0000000000000000-mapping.dmp

Download
memory/1200-68-0x0000000000000000-mapping.dmp

Download
memory/1204-240-0x0000000000000000-mapping.dmp

Download
memory/1396-147-0x0000000000000000-mapping.dmp

Download
memory/1400-66-0x0000000000000000-mapping.dmp

Download
memory/1476-67-0x0000000000000000-mapping.dmp

Download
memory/1484-74-0x0000000000000000-mapping.dmp

Download
memory/1640-186-0x0000000001370000-0x00000000013A4000-memory.dmp

Filesize
208KB

Download
memory/1640-153-0x0000000000000000-mapping.dmp

Download
memory/1668-64-0x0000000000000000-mapping.dmp

Download
memory/1688-249-0x0000000000000000-mapping.dmp

Download
memory/1748-183-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/1748-200-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1748-168-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1748-167-0x0000000000658000-0x0000000000669000-memory.dmp

Filesize
68KB

Download
memory/1748-199-0x0000000000658000-0x0000000000669000-memory.dmp

Filesize
68KB

Download
memory/1748-156-0x0000000000658000-0x0000000000669000-memory.dmp

Filesize
68KB

Download
memory/1748-201-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/1748-151-0x0000000000000000-mapping.dmp

Download
memory/1752-258-0x0000000000000000-mapping.dmp

Download
memory/1752-63-0x0000000000000000-mapping.dmp

Download
memory/1872-71-0x0000000000000000-mapping.dmp

Download
memory/1876-145-0x0000000000000000-mapping.dmp

Download
memory/1876-185-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/1984-203-0x0000000003D70000-0x0000000003FC4000-memory.dmp

Filesize
2.3MB

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download
memory/1984-61-0x0000000003D70000-0x0000000003FC4000-memory.dmp

Filesize
2.3MB

Download
memory/1984-83-0x0000000003D70000-0x0000000003FC4000-memory.dmp

Filesize
2.3MB

Download
memory/2032-251-0x0000000000000000-mapping.dmp

Download
memory/2032-256-0x0000000002050000-0x0000000002C9A000-memory.dmp

Filesize
12.3MB

Download
memory/2032-269-0x00000000031A0000-0x00000000032AC000-memory.dmp

Filesize
1.0MB

Download
memory/2032-266-0x00000000032B0000-0x000000000335E000-memory.dmp

Filesize
696KB

Download
memory/2032-264-0x0000000002050000-0x0000000002C9A000-memory.dmp

Filesize
12.3MB

Download
memory/2032-257-0x00000000031A0000-0x00000000032AC000-memory.dmp

Filesize
1.0MB

Download
memory/2040-69-0x0000000000000000-mapping.dmp

Download
memory/2056-154-0x0000000000000000-mapping.dmp

Download
memory/2112-237-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2112-175-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2112-184-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2112-158-0x0000000000000000-mapping.dmp

Download
memory/2124-159-0x0000000000000000-mapping.dmp

Download
memory/2148-161-0x0000000000000000-mapping.dmp

Download
memory/2148-169-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2148-165-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2148-223-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2172-163-0x0000000000000000-mapping.dmp

Download
memory/2184-164-0x0000000000000000-mapping.dmp

Download
memory/2248-243-0x0000000003360000-0x0000000004556000-memory.dmp

Filesize
18.0MB

Download
memory/2248-171-0x0000000000000000-mapping.dmp

Download
memory/2248-209-0x0000000003360000-0x0000000004556000-memory.dmp

Filesize
18.0MB

Download
memory/2264-172-0x0000000000000000-mapping.dmp

Download
memory/2316-177-0x0000000000000000-mapping.dmp

Download
memory/2324-178-0x0000000000000000-mapping.dmp

Download
memory/2348-181-0x0000000000000000-mapping.dmp

Download
memory/2376-182-0x0000000000000000-mapping.dmp

Download
memory/2432-191-0x0000000000000000-mapping.dmp

Download
memory/2440-187-0x0000000000000000-mapping.dmp

Download
memory/2456-188-0x0000000000000000-mapping.dmp

Download
memory/2468-189-0x0000000000000000-mapping.dmp

Download
memory/2480-190-0x0000000000000000-mapping.dmp

Download
memory/2512-193-0x0000000000000000-mapping.dmp

Download
memory/2532-195-0x0000000000000000-mapping.dmp

Download
memory/2560-250-0x00000000030A0000-0x00000000031AC000-memory.dmp

Filesize
1.0MB

Download
memory/2560-221-0x0000000002E80000-0x0000000002F8B000-memory.dmp

Filesize
1.0MB

Download
memory/2560-222-0x00000000030A0000-0x00000000031AC000-memory.dmp

Filesize
1.0MB

Download
memory/2560-197-0x0000000000000000-mapping.dmp

Download
memory/2560-245-0x00000000031B0000-0x0000000003273000-memory.dmp

Filesize
780KB

Download
memory/2560-246-0x0000000003280000-0x000000000332E000-memory.dmp

Filesize
696KB

Download
memory/2692-263-0x0000000000400000-0x00000000015F6000-memory.dmp

Filesize
18.0MB

Download
memory/2692-254-0x0000000000400000-0x00000000015F6000-memory.dmp

Filesize
18.0MB

Download
memory/2692-255-0x0000000000400000-0x00000000015F6000-memory.dmp

Filesize
18.0MB

Download
memory/2692-211-0x0000000000400000-0x00000000015F6000-memory.dmp

Filesize
18.0MB

Download
memory/2692-244-0x0000000000400000-0x00000000015F6000-memory.dmp

Filesize
18.0MB

Download
memory/2692-259-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2692-202-0x0000000000000000-mapping.dmp

Download
memory/2744-206-0x0000000000000000-mapping.dmp

Download
memory/2756-207-0x0000000000000000-mapping.dmp

Download
memory/2772-208-0x0000000000000000-mapping.dmp

Download
memory/2788-210-0x0000000000000000-mapping.dmp

Download
memory/2844-213-0x0000000000000000-mapping.dmp

Download
memory/2860-214-0x0000000000000000-mapping.dmp

Download
memory/2876-215-0x0000000000000000-mapping.dmp

Download
memory/2896-217-0x0000000000000000-mapping.dmp

Download
memory/2912-219-0x0000000000000000-mapping.dmp

Download
memory/2928-220-0x0000000000000000-mapping.dmp

Download
memory/2996-233-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2996-226-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2996-225-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2996-228-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2996-229-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2996-230-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2996-231-0x000000000042214A-mapping.dmp

Download
memory/2996-236-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3048-238-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/3048-235-0x0000000000000000-mapping.dmp

Download