glupteba | 3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059

Analysis

max time kernel
170s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
11-03-2022 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe
Size

8.0MB
MD5

f332dadff387c218279f0a6ffc59961e
SHA1

b1f106ddcc0b5746261fc8977b57baad39752c90
SHA256

3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059
SHA512

b9b83783513ec993808ca39cd3dd198a3df70df90fffc5d764cccf630bffddcb01428104638e154d4ef99bf36e9bd9d286f606ce2b307bdc213f473fc4690387

Score

10^/10

glupteba metasploit redline socelars vidar dadad123 backdoor dropper evasion infostealer loader persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

dadad123

86.107.197.196:63065

Attributes

auth_value
dd4834614a3ac04a7b90791c224626a2

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2708-177-0x0000000005240000-0x0000000005B66000-memory.dmp	family_glupteba
behavioral2/memory/2708-178-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 3160 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3160	rUNdlL32.eXe

RedLine Payload 13 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\VaI1wlVuXQPChj00mLMKnBsb.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\VaI1wlVuXQPChj00mLMKnBsb.exe	family_redline
behavioral2/memory/4048-208-0x0000000000B00000-0x0000000000B20000-memory.dmp	family_redline
behavioral2/memory/2456-216-0x00000000009B0000-0x0000000000CF5000-memory.dmp	family_redline
behavioral2/memory/2456-221-0x00000000009B0000-0x0000000000CF5000-memory.dmp	family_redline
behavioral2/memory/2500-220-0x0000000000850000-0x0000000000B95000-memory.dmp	family_redline
behavioral2/memory/2500-217-0x0000000000850000-0x0000000000B95000-memory.dmp	family_redline
behavioral2/memory/2456-228-0x00000000009B0000-0x0000000000CF5000-memory.dmp	family_redline
behavioral2/memory/2456-231-0x00000000009B0000-0x0000000000CF5000-memory.dmp	family_redline
behavioral2/memory/2500-229-0x0000000000850000-0x0000000000B95000-memory.dmp	family_redline
behavioral2/memory/2500-227-0x0000000000850000-0x0000000000B95000-memory.dmp	family_redline
behavioral2/memory/4172-239-0x0000000000520000-0x00000000007B5000-memory.dmp	family_redline
behavioral2/memory/4172-240-0x0000000000520000-0x00000000007B5000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3508 created 2708 3508 svchost.exe Info.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Downloads MZ/PE file

description	pid	process	target process
PID 3508 created 2708	3508	svchost.exe	Info.exe

Executes dropped EXE 28 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeInstall.exeFiles.exeFolder.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeInfo.exe0J5ACbdNINtjCYvtg4l2nIbH.exepfnKH36eYull49cLmqt_E8kh.exe9LqJZNlGoMViPWbF34CljIjs.exeIZxrACNeICOyI0kO5HqKtRU1.exeW3YqYY66RFvWirbwuTQdDNxA.exeBpNp4RRj4LYL469ezu2ZTvX6.exeVaI1wlVuXQPChj00mLMKnBsb.exe_pISZ5DKC6BuhTfx1HKBwWqJ.exeEuj7m8M5ZjJZtrpvfFVPPeZT.exeZ3qANqcw_N1X6vQyIH3MCsNt.exeIhpNBW6BxPmelVAaN_BevUUW.exebDueAn2UeuPIPONL_AQwyll3.exeXZAtxuuqhcO1KUVnYu7MmuAc.exekZSmjdJhoyRhWd3WiZFAroXa.exekqma5EvezqWBvl5I8p7jDynx.exe

pid	process
1748	SoCleanInst.exe
916	md9_1sjm.exe
3296	Folder.exe
2708	Info.exe
3832	Updbdate.exe
1904	Install.exe
1932	Files.exe
1564	Folder.exe
2228	pub2.exe
1060	File.exe
3968	jfiag3g_gg.exe
2476	jfiag3g_gg.exe
1904	Info.exe
1372	0J5ACbdNINtjCYvtg4l2nIbH.exe
1428	pfnKH36eYull49cLmqt_E8kh.exe
1492	9LqJZNlGoMViPWbF34CljIjs.exe
2576	IZxrACNeICOyI0kO5HqKtRU1.exe
2376	W3YqYY66RFvWirbwuTQdDNxA.exe
3180	BpNp4RRj4LYL469ezu2ZTvX6.exe
4048	VaI1wlVuXQPChj00mLMKnBsb.exe
2440	_pISZ5DKC6BuhTfx1HKBwWqJ.exe
3476	Euj7m8M5ZjJZtrpvfFVPPeZT.exe
2456	Z3qANqcw_N1X6vQyIH3MCsNt.exe
2500	IhpNBW6BxPmelVAaN_BevUUW.exe
2896	bDueAn2UeuPIPONL_AQwyll3.exe
1472	XZAtxuuqhcO1KUVnYu7MmuAc.exe
4056	kZSmjdJhoyRhWd3WiZFAroXa.exe
4164	kqma5EvezqWBvl5I8p7jDynx.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\_pISZ5DKC6BuhTfx1HKBwWqJ.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

364 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
364	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

185 ipinfo.io
205 ipinfo.io
31 ip-api.com
88 ipinfo.io
89 ipinfo.io
178 ipinfo.io
179 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Z3qANqcw_N1X6vQyIH3MCsNt.exeIhpNBW6BxPmelVAaN_BevUUW.exe

pid process

2456 Z3qANqcw_N1X6vQyIH3MCsNt.exe
2500 IhpNBW6BxPmelVAaN_BevUUW.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
185	ipinfo.io
205	ipinfo.io
31	ip-api.com
88	ipinfo.io
89	ipinfo.io
178	ipinfo.io
179	ipinfo.io

pid	process
2456	Z3qANqcw_N1X6vQyIH3MCsNt.exe
2500	IhpNBW6BxPmelVAaN_BevUUW.exe

Drops file in Program Files directory 2 IoCs

Processes:

pfnKH36eYull49cLmqt_E8kh.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	pfnKH36eYull49cLmqt_E8kh.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	pfnKH36eYull49cLmqt_E8kh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 41 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3296	364	WerFault.exe	rundll32.exe
1568	364	WerFault.exe	rundll32.exe
1716	2708	WerFault.exe	Info.exe
2504	2708	WerFault.exe	Info.exe
2612	2708	WerFault.exe	Info.exe
3976	2708	WerFault.exe	Info.exe
1948	2708	WerFault.exe	Info.exe
2292	2708	WerFault.exe	Info.exe
3728	2708	WerFault.exe	Info.exe
1664	2708	WerFault.exe	Info.exe
3940	2708	WerFault.exe	Info.exe
3656	2708	WerFault.exe	Info.exe
2348	2708	WerFault.exe	Info.exe
4028	2708	WerFault.exe	Info.exe
1040	2708	WerFault.exe	Info.exe
3472	2708	WerFault.exe	Info.exe
1372	2708	WerFault.exe	Info.exe
1508	2708	WerFault.exe	Info.exe
1400	2708	WerFault.exe	Info.exe
1388	2708	WerFault.exe	Info.exe
2384	2708	WerFault.exe	Info.exe
3468	2708	WerFault.exe	Info.exe
448	1904	WerFault.exe	Info.exe
2736	1904	WerFault.exe	Info.exe
812	1904	WerFault.exe	Info.exe
1388	1904	WerFault.exe	Info.exe
1444	1904	WerFault.exe	Info.exe
2612	1904	WerFault.exe	Info.exe
2640	1904	WerFault.exe	Info.exe
2080	1904	WerFault.exe	Info.exe
364	1904	WerFault.exe	Info.exe
1204	1904	WerFault.exe	Info.exe
2968	1904	WerFault.exe	Info.exe
1424	1904	WerFault.exe	Info.exe
1860	1904	WerFault.exe	Info.exe
3868	1904	WerFault.exe	Info.exe
4016	1904	WerFault.exe	Info.exe
488	1904	WerFault.exe	Info.exe
4224	1492	WerFault.exe	9LqJZNlGoMViPWbF34CljIjs.exe
4352	1472	WerFault.exe	XZAtxuuqhcO1KUVnYu7MmuAc.exe
2960	1472	WerFault.exe	XZAtxuuqhcO1KUVnYu7MmuAc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4584 schtasks.exe
4608 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3468 taskkill.exe

pid	process
4584	schtasks.exe
4608	schtasks.exe

pid	process
3468	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
2228	pub2.exe
2228	pub2.exe
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2476	jfiag3g_gg.exe
2476	jfiag3g_gg.exe
2808
2808

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

2228 pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	1748	SoCleanInst.exe
Token: SeCreateTokenPrivilege	1904	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1904	Install.exe
Token: SeLockMemoryPrivilege	1904	Install.exe
Token: SeIncreaseQuotaPrivilege	1904	Install.exe
Token: SeMachineAccountPrivilege	1904	Install.exe
Token: SeTcbPrivilege	1904	Install.exe
Token: SeSecurityPrivilege	1904	Install.exe
Token: SeTakeOwnershipPrivilege	1904	Install.exe
Token: SeLoadDriverPrivilege	1904	Install.exe
Token: SeSystemProfilePrivilege	1904	Install.exe
Token: SeSystemtimePrivilege	1904	Install.exe
Token: SeProfSingleProcessPrivilege	1904	Install.exe
Token: SeIncBasePriorityPrivilege	1904	Install.exe
Token: SeCreatePagefilePrivilege	1904	Install.exe
Token: SeCreatePermanentPrivilege	1904	Install.exe
Token: SeBackupPrivilege	1904	Install.exe
Token: SeRestorePrivilege	1904	Install.exe
Token: SeShutdownPrivilege	1904	Install.exe
Token: SeDebugPrivilege	1904	Install.exe
Token: SeAuditPrivilege	1904	Install.exe
Token: SeSystemEnvironmentPrivilege	1904	Install.exe
Token: SeChangeNotifyPrivilege	1904	Install.exe
Token: SeRemoteShutdownPrivilege	1904	Install.exe
Token: SeUndockPrivilege	1904	Install.exe
Token: SeSyncAgentPrivilege	1904	Install.exe
Token: SeEnableDelegationPrivilege	1904	Install.exe
Token: SeManageVolumePrivilege	1904	Install.exe
Token: SeImpersonatePrivilege	1904	Install.exe
Token: SeCreateGlobalPrivilege	1904	Install.exe
Token: 31	1904	Install.exe
Token: 32	1904	Install.exe
Token: 33	1904	Install.exe
Token: 34	1904	Install.exe
Token: 35	1904	Install.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeManageVolumePrivilege	916	md9_1sjm.exe
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808
Token: SeCreatePagefilePrivilege	2808
Token: SeShutdownPrivilege	2808

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

pfnKH36eYull49cLmqt_E8kh.exeIZxrACNeICOyI0kO5HqKtRU1.exeBpNp4RRj4LYL469ezu2ZTvX6.exeEuj7m8M5ZjJZtrpvfFVPPeZT.exeXZAtxuuqhcO1KUVnYu7MmuAc.exekqma5EvezqWBvl5I8p7jDynx.exeZ3qANqcw_N1X6vQyIH3MCsNt.exeIhpNBW6BxPmelVAaN_BevUUW.exe

pid	process
1428	pfnKH36eYull49cLmqt_E8kh.exe
2576	IZxrACNeICOyI0kO5HqKtRU1.exe
3180	BpNp4RRj4LYL469ezu2ZTvX6.exe
3476	Euj7m8M5ZjJZtrpvfFVPPeZT.exe
1472	XZAtxuuqhcO1KUVnYu7MmuAc.exe
4164	kqma5EvezqWBvl5I8p7jDynx.exe
2456	Z3qANqcw_N1X6vQyIH3MCsNt.exe
2500	IhpNBW6BxPmelVAaN_BevUUW.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exeFolder.exerUNdlL32.eXeFiles.exeInstall.execmd.exerundll32.exesvchost.exeFile.exeInfo.execmd.exe

description	pid	process	target process
PID 3232 wrote to memory of 1748	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	SoCleanInst.exe
PID 3232 wrote to memory of 1748	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	SoCleanInst.exe
PID 3232 wrote to memory of 916	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	md9_1sjm.exe
PID 3232 wrote to memory of 916	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	md9_1sjm.exe
PID 3232 wrote to memory of 916	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	md9_1sjm.exe
PID 3232 wrote to memory of 3296	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Folder.exe
PID 3232 wrote to memory of 3296	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Folder.exe
PID 3232 wrote to memory of 3296	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Folder.exe
PID 3232 wrote to memory of 2708	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Info.exe
PID 3232 wrote to memory of 2708	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Info.exe
PID 3232 wrote to memory of 2708	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Info.exe
PID 3232 wrote to memory of 3832	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Updbdate.exe
PID 3232 wrote to memory of 3832	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Updbdate.exe
PID 3232 wrote to memory of 3832	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Updbdate.exe
PID 3232 wrote to memory of 1904	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Install.exe
PID 3232 wrote to memory of 1904	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Install.exe
PID 3232 wrote to memory of 1904	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Install.exe
PID 3232 wrote to memory of 1932	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Files.exe
PID 3232 wrote to memory of 1932	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Files.exe
PID 3232 wrote to memory of 1932	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	Files.exe
PID 3296 wrote to memory of 1564	3296	Folder.exe	Folder.exe
PID 3296 wrote to memory of 1564	3296	Folder.exe	Folder.exe
PID 3296 wrote to memory of 1564	3296	Folder.exe	Folder.exe
PID 3232 wrote to memory of 2228	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	pub2.exe
PID 3232 wrote to memory of 2228	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	pub2.exe
PID 3232 wrote to memory of 2228	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	pub2.exe
PID 3232 wrote to memory of 1060	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	File.exe
PID 3232 wrote to memory of 1060	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	File.exe
PID 3232 wrote to memory of 1060	3232	3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe	File.exe
PID 2376 wrote to memory of 364	2376	rUNdlL32.eXe	rundll32.exe
PID 2376 wrote to memory of 364	2376	rUNdlL32.eXe	rundll32.exe
PID 2376 wrote to memory of 364	2376	rUNdlL32.eXe	rundll32.exe
PID 1932 wrote to memory of 3968	1932	Files.exe	jfiag3g_gg.exe
PID 1932 wrote to memory of 3968	1932	Files.exe	jfiag3g_gg.exe
PID 1932 wrote to memory of 3968	1932	Files.exe	jfiag3g_gg.exe
PID 1904 wrote to memory of 2868	1904	Install.exe	cmd.exe
PID 1904 wrote to memory of 2868	1904	Install.exe	cmd.exe
PID 1904 wrote to memory of 2868	1904	Install.exe	cmd.exe
PID 1932 wrote to memory of 2476	1932	Files.exe	jfiag3g_gg.exe
PID 1932 wrote to memory of 2476	1932	Files.exe	jfiag3g_gg.exe
PID 1932 wrote to memory of 2476	1932	Files.exe	jfiag3g_gg.exe
PID 2868 wrote to memory of 3468	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 3468	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 3468	2868	cmd.exe	taskkill.exe
PID 364 wrote to memory of 3296	364	rundll32.exe	WerFault.exe
PID 364 wrote to memory of 3296	364	rundll32.exe	WerFault.exe
PID 364 wrote to memory of 3296	364	rundll32.exe	WerFault.exe
PID 3508 wrote to memory of 1904	3508	svchost.exe	Info.exe
PID 3508 wrote to memory of 1904	3508	svchost.exe	Info.exe
PID 3508 wrote to memory of 1904	3508	svchost.exe	Info.exe
PID 1060 wrote to memory of 1372	1060	File.exe	0J5ACbdNINtjCYvtg4l2nIbH.exe
PID 1060 wrote to memory of 1372	1060	File.exe	0J5ACbdNINtjCYvtg4l2nIbH.exe
PID 1904 wrote to memory of 2412	1904	Info.exe	cmd.exe
PID 1904 wrote to memory of 2412	1904	Info.exe	cmd.exe
PID 1060 wrote to memory of 1428	1060	File.exe	pfnKH36eYull49cLmqt_E8kh.exe
PID 1060 wrote to memory of 1428	1060	File.exe	pfnKH36eYull49cLmqt_E8kh.exe
PID 1060 wrote to memory of 1428	1060	File.exe	pfnKH36eYull49cLmqt_E8kh.exe
PID 1060 wrote to memory of 1492	1060	File.exe	9LqJZNlGoMViPWbF34CljIjs.exe
PID 1060 wrote to memory of 1492	1060	File.exe	9LqJZNlGoMViPWbF34CljIjs.exe
PID 1060 wrote to memory of 1492	1060	File.exe	9LqJZNlGoMViPWbF34CljIjs.exe
PID 1060 wrote to memory of 2576	1060	File.exe	IZxrACNeICOyI0kO5HqKtRU1.exe
PID 1060 wrote to memory of 2576	1060	File.exe	IZxrACNeICOyI0kO5HqKtRU1.exe
PID 1060 wrote to memory of 2576	1060	File.exe	IZxrACNeICOyI0kO5HqKtRU1.exe
PID 2412 wrote to memory of 2080	2412	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe
"C:\Users\Admin\AppData\Local\Temp\3a186a8eec125e326c225bffa3a8ae6357a99de2d4683b29c90f7776870d2059.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 388
3⤵
- Program crash
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 372
3⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 604
3⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 696
3⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 712
3⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 712
3⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 728
3⤵
- Program crash
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 728
3⤵
- Program crash
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 876
3⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 732
3⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 656
3⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 824
3⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 680
3⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 900
3⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 872
3⤵
- Program crash
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 732
3⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 604
3⤵
- Program crash
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 916
3⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 616
3⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 724
3⤵
- Program crash
PID:3468

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 324
4⤵
- Program crash
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 352
4⤵
- Program crash
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 348
4⤵
- Program crash
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 636
4⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 680
4⤵
- Program crash
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 680
4⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 680
4⤵
- Program crash
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 720
4⤵
- Program crash
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 636
4⤵
- Program crash
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 672
4⤵
- Program crash
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 720
4⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 860
4⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 880
4⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 860
4⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 860
4⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 580
4⤵
- Program crash
PID:488

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:2080

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:3832

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3968

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2228

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\Pictures\Adobe Films\0J5ACbdNINtjCYvtg4l2nIbH.exe
"C:\Users\Admin\Pictures\Adobe Films\0J5ACbdNINtjCYvtg4l2nIbH.exe"
3⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\Pictures\Adobe Films\IZxrACNeICOyI0kO5HqKtRU1.exe
"C:\Users\Admin\Pictures\Adobe Films\IZxrACNeICOyI0kO5HqKtRU1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Users\Admin\Pictures\Adobe Films\9LqJZNlGoMViPWbF34CljIjs.exe
"C:\Users\Admin\Pictures\Adobe Films\9LqJZNlGoMViPWbF34CljIjs.exe"
3⤵
- Executes dropped EXE
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 624
4⤵
- Program crash
PID:4224

C:\Users\Admin\Pictures\Adobe Films\pfnKH36eYull49cLmqt_E8kh.exe
"C:\Users\Admin\Pictures\Adobe Films\pfnKH36eYull49cLmqt_E8kh.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Users\Admin\Documents\Ym3i5S71y_mvaiydzaiOMX0o.exe
"C:\Users\Admin\Documents\Ym3i5S71y_mvaiydzaiOMX0o.exe"
4⤵
PID:4512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4584

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4608

C:\Users\Admin\Pictures\Adobe Films\_pISZ5DKC6BuhTfx1HKBwWqJ.exe
"C:\Users\Admin\Pictures\Adobe Films\_pISZ5DKC6BuhTfx1HKBwWqJ.exe"
3⤵
- Executes dropped EXE
PID:2440

C:\Users\Admin\Pictures\Adobe Films\Euj7m8M5ZjJZtrpvfFVPPeZT.exe
"C:\Users\Admin\Pictures\Adobe Films\Euj7m8M5ZjJZtrpvfFVPPeZT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:4796

C:\Users\Admin\Pictures\Adobe Films\VaI1wlVuXQPChj00mLMKnBsb.exe
"C:\Users\Admin\Pictures\Adobe Films\VaI1wlVuXQPChj00mLMKnBsb.exe"
3⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\Pictures\Adobe Films\BpNp4RRj4LYL469ezu2ZTvX6.exe
"C:\Users\Admin\Pictures\Adobe Films\BpNp4RRj4LYL469ezu2ZTvX6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Users\Admin\Pictures\Adobe Films\W3YqYY66RFvWirbwuTQdDNxA.exe
"C:\Users\Admin\Pictures\Adobe Films\W3YqYY66RFvWirbwuTQdDNxA.exe"
3⤵
- Executes dropped EXE
PID:2376

C:\Users\Admin\Pictures\Adobe Films\Z3qANqcw_N1X6vQyIH3MCsNt.exe
"C:\Users\Admin\Pictures\Adobe Films\Z3qANqcw_N1X6vQyIH3MCsNt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Users\Admin\Pictures\Adobe Films\IhpNBW6BxPmelVAaN_BevUUW.exe
"C:\Users\Admin\Pictures\Adobe Films\IhpNBW6BxPmelVAaN_BevUUW.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Users\Admin\Pictures\Adobe Films\bDueAn2UeuPIPONL_AQwyll3.exe
"C:\Users\Admin\Pictures\Adobe Films\bDueAn2UeuPIPONL_AQwyll3.exe"
3⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\Pictures\Adobe Films\XZAtxuuqhcO1KUVnYu7MmuAc.exe
"C:\Users\Admin\Pictures\Adobe Films\XZAtxuuqhcO1KUVnYu7MmuAc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 464
4⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 472
4⤵
- Program crash
PID:2960

C:\Users\Admin\Pictures\Adobe Films\kZSmjdJhoyRhWd3WiZFAroXa.exe
"C:\Users\Admin\Pictures\Adobe Films\kZSmjdJhoyRhWd3WiZFAroXa.exe"
3⤵
- Executes dropped EXE
PID:4056

C:\Users\Admin\AppData\Local\Temp\89I46.exe
"C:\Users\Admin\AppData\Local\Temp\89I46.exe"
4⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\89FK3.exe
"C:\Users\Admin\AppData\Local\Temp\89FK3.exe"
4⤵
PID:4492

C:\Users\Admin\Pictures\Adobe Films\kqma5EvezqWBvl5I8p7jDynx.exe
"C:\Users\Admin\Pictures\Adobe Films\kqma5EvezqWBvl5I8p7jDynx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Users\Admin\AppData\Local\Temp\7zSFE88.tmp\Install.exe
.\Install.exe
4⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\7zSB2A.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:4536

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 604
3⤵
- Program crash
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 604
3⤵
- Program crash
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2708 -ip 2708
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 364 -ip 364
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2708 -ip 2708
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2708 -ip 2708
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2708 -ip 2708
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2708 -ip 2708
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2708 -ip 2708
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2708 -ip 2708
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2708 -ip 2708
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2708 -ip 2708
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2708 -ip 2708
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2708 -ip 2708
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2708 -ip 2708
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2708 -ip 2708
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2708 -ip 2708
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2708 -ip 2708
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2708 -ip 2708
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2708 -ip 2708
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2708 -ip 2708
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2708 -ip 2708
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2708 -ip 2708
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2708 -ip 2708
1⤵
PID:3828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1904 -ip 1904
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1904 -ip 1904
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1904 -ip 1904
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1904 -ip 1904
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1904 -ip 1904
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1904 -ip 1904
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1904 -ip 1904
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1904 -ip 1904
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1904 -ip 1904
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1904 -ip 1904
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1904 -ip 1904
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1904 -ip 1904
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1904 -ip 1904
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1904 -ip 1904
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1904 -ip 1904
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1904 -ip 1904
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1492 -ip 1492
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1472 -ip 1472
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1472 -ip 1472
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1492 -ip 1492
1⤵
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
75ffd077fe2ecf71e231b1eb7227f913

SHA1
4a3892694a7c7bda180bed4d4493d064ef21c47d

SHA256
3f14b309a2bdb33caee2c7923b17c8780a4ff8164b7641e679d1888ab6dbf16f

SHA512
6464b499611ac9b7f2348b1958b610d32cb7b4d9403d1081409d3f6d4a43a511a20f6414a2194e5dcbf055877c310fbc4f73b34210d4920ad87946d4e86a7f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
2ec8481357d573369a84ffa95d851b8b

SHA1
b2a700e4b401211ec6a3dc3e0e3cbbc0a511fbdd

SHA256
b8dc6e0e7a7a8b53f954bb09dcacfdbd41f7731e6a8294686e397ba743e0ac09

SHA512
d0bebaefbeab32f0d38c1f36f2ea44f9074b31051f8985ea2885db65903be5fe406a469e7db16bef9bd5d5c931a153819aa4b3188126230a85459e42f03dd996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
675e187f93ec69168af53273e0da8c17

SHA1
9f352771dec07c56ec2421a910ce6f7323b0329d

SHA256
3e5cf1065afc334594b4617b91241f0c5116437097d15ee28daf4885cbddd3a4

SHA512
742860abc8f2fe0d0e16fd6209db8036fe50ce0539882a882c655ac4dc2bfae77bbe5692fbc7a116f9c7fd4d55d7bc93a978ee7bcee22f2d72a1b54298ca13c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
1472c424c986098184e6a086fb086917

SHA1
39d0f0abffdb3b715157ccaf28484af01076404c

SHA256
193b8939705a17232d301154465f7442381d23a856c989dbf45a629a520eefcf

SHA512
62183b2ecaec1e34664446375e68d011f4c3cc73571c9d8483788b628cc638d28620a7e816d3cd4cc39fde84895b45da9341e4543996cd3a31a1e886a56dcd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
1472c424c986098184e6a086fb086917

SHA1
39d0f0abffdb3b715157ccaf28484af01076404c

SHA256
193b8939705a17232d301154465f7442381d23a856c989dbf45a629a520eefcf

SHA512
62183b2ecaec1e34664446375e68d011f4c3cc73571c9d8483788b628cc638d28620a7e816d3cd4cc39fde84895b45da9341e4543996cd3a31a1e886a56dcd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
5e9cfd6a1d2804a1e7f048b0c76a6d9e

SHA1
2d119fa11dc5e390cdb1fae208fbf0903548961e

SHA256
21faf55f3437b60c0b6518d8576bff0300e4d8460139b2f157f76d36a57b559b

SHA512
4e72728420c31c3ddcb2626ed426b8afba6a6674e8e96cda664b2977f53726af59d5b2ff63db80b373480db1f4a43c3d44e5ee9a4c3b9b0c92ce0cb5eebc05dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
5e9cfd6a1d2804a1e7f048b0c76a6d9e

SHA1
2d119fa11dc5e390cdb1fae208fbf0903548961e

SHA256
21faf55f3437b60c0b6518d8576bff0300e4d8460139b2f157f76d36a57b559b

SHA512
4e72728420c31c3ddcb2626ed426b8afba6a6674e8e96cda664b2977f53726af59d5b2ff63db80b373480db1f4a43c3d44e5ee9a4c3b9b0c92ce0cb5eebc05dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
4ee18457e71fe318d1149d2586955759

SHA1
efb25f00c8c3f9f4e3f2a84ece8546e4085e809d

SHA256
137f3a0978f09701e36bd33e672b8c960ea02d350e0af29ade7a7b55b74a655c

SHA512
31aca7509399a8e95c03d945d31614d14ca66426ecf179fcb9d5dc44b7424544e0729008d1eb0ee59acdafe5fd0a979b85c890235da2c22e440ee76177776457

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
4ee18457e71fe318d1149d2586955759

SHA1
efb25f00c8c3f9f4e3f2a84ece8546e4085e809d

SHA256
137f3a0978f09701e36bd33e672b8c960ea02d350e0af29ade7a7b55b74a655c

SHA512
31aca7509399a8e95c03d945d31614d14ca66426ecf179fcb9d5dc44b7424544e0729008d1eb0ee59acdafe5fd0a979b85c890235da2c22e440ee76177776457

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
332e5b6f35ac73c08a64d6c7a5cea059

SHA1
75f98b01b3b7c5a07aaa91e73520415b71664331

SHA256
9914d706d64d6d0c75e088113c692c344f83c68e598bbedfaa82fb3ad045523e

SHA512
cfdb5f1c497a64a8da42440fb0c8aae0213ea30a1a3be4dfba93ba74ecdcd545838f03920f23f8bfd31101989276e1b513afa8a958ed79248877dc4d0a17d1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
43a14ed44b18a78c210dbfbf71225f31

SHA1
20695e7385183cb1603c4674df90da4462419ea0

SHA256
291a82b3b430c80981fd3b6fe3a9f0718e5d7d2b2af502b1c67c762b639da3e4

SHA512
bc49a9cadf08afab871f8d861e4b8801fa5a39ef788391e68ad34f018747298ac3d672f48c8ce906eb2f22b7e4d81c10f7ea83783559060923183de5dea69ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
43a14ed44b18a78c210dbfbf71225f31

SHA1
20695e7385183cb1603c4674df90da4462419ea0

SHA256
291a82b3b430c80981fd3b6fe3a9f0718e5d7d2b2af502b1c67c762b639da3e4

SHA512
bc49a9cadf08afab871f8d861e4b8801fa5a39ef788391e68ad34f018747298ac3d672f48c8ce906eb2f22b7e4d81c10f7ea83783559060923183de5dea69ac3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0J5ACbdNINtjCYvtg4l2nIbH.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0J5ACbdNINtjCYvtg4l2nIbH.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9LqJZNlGoMViPWbF34CljIjs.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9LqJZNlGoMViPWbF34CljIjs.exe
MD5
5d7a12165295dc36952871511dca661f

SHA1
93fc0fd84292f4554063682178e2986aa14f28db

SHA256
692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24

SHA512
5f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba

Download Submit
C:\Users\Admin\Pictures\Adobe Films\BpNp4RRj4LYL469ezu2ZTvX6.exe
MD5
00ecdf7f62876e4250d39747d1cb645c

SHA1
02fcac0671c1a1cf6fad778e0212852e9567622d

SHA256
63085f01b1d4e08b35018fd7e41a59d7143f51400e7e215afc9bf3718352f950

SHA512
d82a12d9a126bb31722f8de876552ce9df743f351cee09999dcd70f1f27c137e38556d1594af445816fc802af2ec137598c76c88009ae8c62e08d239bd77f6a2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\BpNp4RRj4LYL469ezu2ZTvX6.exe
MD5
00ecdf7f62876e4250d39747d1cb645c

SHA1
02fcac0671c1a1cf6fad778e0212852e9567622d

SHA256
63085f01b1d4e08b35018fd7e41a59d7143f51400e7e215afc9bf3718352f950

SHA512
d82a12d9a126bb31722f8de876552ce9df743f351cee09999dcd70f1f27c137e38556d1594af445816fc802af2ec137598c76c88009ae8c62e08d239bd77f6a2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Euj7m8M5ZjJZtrpvfFVPPeZT.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Euj7m8M5ZjJZtrpvfFVPPeZT.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IZxrACNeICOyI0kO5HqKtRU1.exe
MD5
b308606f178e2698fc9beec1e49e10c6

SHA1
461ac210cbff3ff520e93547ba584d039e4360b4

SHA256
d831339874591ebf6a458c5e96deb8be427b86a1e33b9c8b3daa278a553a4d31

SHA512
44e4f5f115c7783a03d5b7917cd9670bd523a0042d93f11a0828ca537fd42554b966a73630ac49635d6bf9f1c1ff78f16c0637cef29ed59bce4c358a99ed6d25

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IZxrACNeICOyI0kO5HqKtRU1.exe
MD5
b308606f178e2698fc9beec1e49e10c6

SHA1
461ac210cbff3ff520e93547ba584d039e4360b4

SHA256
d831339874591ebf6a458c5e96deb8be427b86a1e33b9c8b3daa278a553a4d31

SHA512
44e4f5f115c7783a03d5b7917cd9670bd523a0042d93f11a0828ca537fd42554b966a73630ac49635d6bf9f1c1ff78f16c0637cef29ed59bce4c358a99ed6d25

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IhpNBW6BxPmelVAaN_BevUUW.exe
MD5
476c8d1b1c2cc5a79d138c167ee4d3a2

SHA1
d88086fc725254536954444e2899354ac48cb2d2

SHA256
393dd1b5bd9df0d9f4488daaba97ba01ddcc5d51f13258f28f885da7f852f93e

SHA512
eda25c5e0e020c5e10bb16b364e14c51c7660a03430155595854a41d1ae1a6276f4efb1ff49f7d6540ca02d78831d0e8a64dee7e4867dfbe4116b015573dfa8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IhpNBW6BxPmelVAaN_BevUUW.exe
MD5
476c8d1b1c2cc5a79d138c167ee4d3a2

SHA1
d88086fc725254536954444e2899354ac48cb2d2

SHA256
393dd1b5bd9df0d9f4488daaba97ba01ddcc5d51f13258f28f885da7f852f93e

SHA512
eda25c5e0e020c5e10bb16b364e14c51c7660a03430155595854a41d1ae1a6276f4efb1ff49f7d6540ca02d78831d0e8a64dee7e4867dfbe4116b015573dfa8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VaI1wlVuXQPChj00mLMKnBsb.exe
MD5
1b2c62378e15b38aa6f4a2b4800affdd

SHA1
10427a52932482d30dfded95f31f53421da96aa0

SHA256
59cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba

SHA512
6e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VaI1wlVuXQPChj00mLMKnBsb.exe
MD5
1b2c62378e15b38aa6f4a2b4800affdd

SHA1
10427a52932482d30dfded95f31f53421da96aa0

SHA256
59cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba

SHA512
6e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\W3YqYY66RFvWirbwuTQdDNxA.exe
MD5
51ce6c05cb83bd42005d01a2f300fac2

SHA1
7e0dee865ccf3758e2a7bdeddf2c1a4884d9776c

SHA256
a818da0bab23d7e16e0745eca25520a4eea3f6ec4fb3f20c7a41459303c4811b

SHA512
3ba0b1104c672576271992bed0d0435992b0ab74f3bf78984313ed492f2cb162ad4f58a816ded1bebb8eb661973675419446394b39f1e00442b7efaf2c5d50f3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\W3YqYY66RFvWirbwuTQdDNxA.exe
MD5
51ce6c05cb83bd42005d01a2f300fac2

SHA1
7e0dee865ccf3758e2a7bdeddf2c1a4884d9776c

SHA256
a818da0bab23d7e16e0745eca25520a4eea3f6ec4fb3f20c7a41459303c4811b

SHA512
3ba0b1104c672576271992bed0d0435992b0ab74f3bf78984313ed492f2cb162ad4f58a816ded1bebb8eb661973675419446394b39f1e00442b7efaf2c5d50f3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XZAtxuuqhcO1KUVnYu7MmuAc.exe
MD5
f625f97e0bc66bece1c0fc6dd4277f73

SHA1
311eb75ae5db1f700954f606bfe7edae6b4cff5e

SHA256
c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584

SHA512
1d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XZAtxuuqhcO1KUVnYu7MmuAc.exe
MD5
f625f97e0bc66bece1c0fc6dd4277f73

SHA1
311eb75ae5db1f700954f606bfe7edae6b4cff5e

SHA256
c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584

SHA512
1d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Z3qANqcw_N1X6vQyIH3MCsNt.exe
MD5
bc85872c537952298604bfaab4fe4154

SHA1
35dc61ef6017970336e2ff223f021ac65d90f9d8

SHA256
64793a910fd2196e1c7346d9b621c2695339c083d8dfb547404db722e16c4762

SHA512
e5f10a4e1c9f52801f598bb352449d5824ea087befa7ce3dc2794a252d52a6d75841acbdf052a8918cfbf245e43285c67031339c320526a9be9d5a4da6e65362

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Z3qANqcw_N1X6vQyIH3MCsNt.exe
MD5
bc85872c537952298604bfaab4fe4154

SHA1
35dc61ef6017970336e2ff223f021ac65d90f9d8

SHA256
64793a910fd2196e1c7346d9b621c2695339c083d8dfb547404db722e16c4762

SHA512
e5f10a4e1c9f52801f598bb352449d5824ea087befa7ce3dc2794a252d52a6d75841acbdf052a8918cfbf245e43285c67031339c320526a9be9d5a4da6e65362

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_pISZ5DKC6BuhTfx1HKBwWqJ.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bDueAn2UeuPIPONL_AQwyll3.exe
MD5
8ab40cc21bb65b402bf58707d66a7a32

SHA1
48a60b0c03c337245e5c58cd2cfe6f9835c6913a

SHA256
58219c045d1660735feaf19741426ad2d1a45ba8993ac86b650d7f480f86f7b5

SHA512
721c83e17a276ee13f1b1e3ff44fd5e6c7a33622112e818ba780e4754c77cdfd8a9c0a9ab2f8faa2e7a38f3d2a8e3b859615fa8abfc17be7d8664caa798afce2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bDueAn2UeuPIPONL_AQwyll3.exe
MD5
8ab40cc21bb65b402bf58707d66a7a32

SHA1
48a60b0c03c337245e5c58cd2cfe6f9835c6913a

SHA256
58219c045d1660735feaf19741426ad2d1a45ba8993ac86b650d7f480f86f7b5

SHA512
721c83e17a276ee13f1b1e3ff44fd5e6c7a33622112e818ba780e4754c77cdfd8a9c0a9ab2f8faa2e7a38f3d2a8e3b859615fa8abfc17be7d8664caa798afce2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kZSmjdJhoyRhWd3WiZFAroXa.exe
MD5
d21cdedfc1e89719f23766daaec037aa

SHA1
6e07dac80c44f4a46be3a9e6a5e617afa9b86042

SHA256
b33af1e9fc4926214998d3ba0436ae53bfcb3ef233beb448786e426ab3f12fe0

SHA512
ac93e9edfe4ad4f74d45d3c95635f3978431842035282ad2905ac6852c9c0b5d11899220c7e670d6836eafcdacea057209233f827b1b1aa53bee6a6ee16a3ab3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kZSmjdJhoyRhWd3WiZFAroXa.exe
MD5
d21cdedfc1e89719f23766daaec037aa

SHA1
6e07dac80c44f4a46be3a9e6a5e617afa9b86042

SHA256
b33af1e9fc4926214998d3ba0436ae53bfcb3ef233beb448786e426ab3f12fe0

SHA512
ac93e9edfe4ad4f74d45d3c95635f3978431842035282ad2905ac6852c9c0b5d11899220c7e670d6836eafcdacea057209233f827b1b1aa53bee6a6ee16a3ab3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kqma5EvezqWBvl5I8p7jDynx.exe
MD5
219fe7c927365af9ecf10316b7c3e768

SHA1
3a25a0da611a39ff30cde89c000c9b20fe03ba18

SHA256
fa663de65495bf9ff4ba000d1afcd351e82df30de16d7348e7608fcd28a1412f

SHA512
b0613947ae4fedb39979877938424e8b7f5c4f301f9d95c834ac8614282b498b4c2980682367e0b4538d347c5a979ab144927c1e4116a1b6a517523b55f34e8a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kqma5EvezqWBvl5I8p7jDynx.exe
MD5
4abedd270c22c9a2c0be1f8337e6f659

SHA1
3c81bee30dda5a8aa8f24bfaceb31894acbc3536

SHA256
cc4c9b7739d2251d5b93a1c80b696fd5715a8f908d15a5cc85270c9654b1afe4

SHA512
7d524b20eba9186595c6a578ce5b4e5dc493a05b8ff8d554fe9ca0c82a4ec017e330f4159740beaa7eb55a8d9d63a9acfc5be5cd57d4d06dcd335386d34a3237

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pfnKH36eYull49cLmqt_E8kh.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pfnKH36eYull49cLmqt_E8kh.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
memory/916-169-0x0000000004B20000-0x0000000004B28000-memory.dmp

Filesize
32KB

Download
memory/1748-136-0x0000000000FD0000-0x0000000000FFA000-memory.dmp

Filesize
168KB

Download
memory/1748-140-0x00007FFC76F20000-0x00007FFC779E1000-memory.dmp

Filesize
10.8MB

Download
memory/1904-244-0x0000000004C30000-0x000000000506C000-memory.dmp

Filesize
4.2MB

Download
memory/2228-162-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2228-161-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2228-154-0x0000000000563000-0x0000000000573000-memory.dmp

Filesize
64KB

Download
memory/2228-160-0x0000000000563000-0x0000000000573000-memory.dmp

Filesize
64KB

Download
memory/2376-215-0x0000000000AE0000-0x0000000000B0E000-memory.dmp

Filesize
184KB

Download
memory/2456-231-0x00000000009B0000-0x0000000000CF5000-memory.dmp

Filesize
3.3MB

Download
memory/2456-228-0x00000000009B0000-0x0000000000CF5000-memory.dmp

Filesize
3.3MB

Download
memory/2456-233-0x0000000073AD0000-0x0000000073B59000-memory.dmp

Filesize
548KB

Download
memory/2456-223-0x0000000076C80000-0x0000000076E95000-memory.dmp

Filesize
2.1MB

Download
memory/2456-221-0x00000000009B0000-0x0000000000CF5000-memory.dmp

Filesize
3.3MB

Download
memory/2456-219-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2456-216-0x00000000009B0000-0x0000000000CF5000-memory.dmp

Filesize
3.3MB

Download
memory/2500-227-0x0000000000850000-0x0000000000B95000-memory.dmp

Filesize
3.3MB

Download
memory/2500-229-0x0000000000850000-0x0000000000B95000-memory.dmp

Filesize
3.3MB

Download
memory/2500-218-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2500-232-0x0000000073AD0000-0x0000000073B59000-memory.dmp

Filesize
548KB

Download
memory/2500-220-0x0000000000850000-0x0000000000B95000-memory.dmp

Filesize
3.3MB

Download
memory/2500-217-0x0000000000850000-0x0000000000B95000-memory.dmp

Filesize
3.3MB

Download
memory/2500-222-0x0000000076C80000-0x0000000076E95000-memory.dmp

Filesize
2.1MB

Download
memory/2576-196-0x00000000005C9000-0x0000000000635000-memory.dmp

Filesize
432KB

Download
memory/2708-176-0x0000000004DF8000-0x0000000005234000-memory.dmp

Filesize
4.2MB

Download
memory/2708-177-0x0000000005240000-0x0000000005B66000-memory.dmp

Filesize
9.1MB

Download
memory/2708-178-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/2896-210-0x0000000000600000-0x000000000061E000-memory.dmp

Filesize
120KB

Download
memory/2896-245-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/3832-170-0x0000000004D50000-0x00000000052F4000-memory.dmp

Filesize
5.6MB

Download
memory/3832-148-0x0000000000573000-0x0000000000596000-memory.dmp

Filesize
140KB

Download
memory/3832-174-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

Filesize
240KB

Download
memory/3832-171-0x0000000005300000-0x0000000005918000-memory.dmp

Filesize
6.1MB

Download
memory/3832-172-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3832-173-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4048-208-0x0000000000B00000-0x0000000000B20000-memory.dmp

Filesize
128KB

Download
memory/4056-224-0x0000000000420000-0x000000000075C000-memory.dmp

Filesize
3.2MB

Download
memory/4056-234-0x0000000000E80000-0x0000000000E82000-memory.dmp

Filesize
8KB

Download
memory/4056-225-0x0000000000420000-0x000000000075C000-memory.dmp

Filesize
3.2MB

Download
memory/4172-236-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4172-238-0x0000000076C80000-0x0000000076E95000-memory.dmp

Filesize
2.1MB

Download
memory/4172-239-0x0000000000520000-0x00000000007B5000-memory.dmp

Filesize
2.6MB

Download
memory/4172-241-0x0000000073AD0000-0x0000000073B59000-memory.dmp

Filesize
548KB

Download
memory/4172-240-0x0000000000520000-0x00000000007B5000-memory.dmp

Filesize
2.6MB

Download
memory/4492-248-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/4536-242-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download